From c1be36b1d6d796eb0a8a53dca5d6fe44bcd3c89d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 20:44:43 +0000 Subject: [PATCH 1/6] Initial plan From 2b437dc3216c47c40497323116d174ab1fb853c2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 21:32:40 +0000 Subject: [PATCH 2/6] refactor: replace hardcoded /opt/gh-aw/ paths with GhAwHome constants Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- actions/setup/setup.sh | 27 ++++++++---- actions/setup/sh/start_mcp_gateway.sh | 14 +++--- actions/setup/sh/start_mcp_scripts_server.sh | 14 +++--- actions/setup/sh/start_safe_outputs_server.sh | 14 +++--- pkg/constants/constants.go | 7 ++- pkg/workflow/agentic_engine.go | 2 +- pkg/workflow/cache.go | 18 ++++---- pkg/workflow/compiler_main_job.go | 22 +++------- pkg/workflow/compiler_safe_outputs_job.go | 10 ++++- pkg/workflow/compiler_yaml.go | 10 ++--- pkg/workflow/compiler_yaml_ai_execution.go | 16 +++---- pkg/workflow/compiler_yaml_helpers.go | 20 ++++----- pkg/workflow/compiler_yaml_main_job.go | 10 +++-- pkg/workflow/copilot_engine_execution.go | 2 +- pkg/workflow/copilot_engine_installation.go | 2 +- pkg/workflow/copilot_installer.go | 2 +- pkg/workflow/docker.go | 2 +- pkg/workflow/git_configuration_steps.go | 2 +- pkg/workflow/mcp_config_builtin.go | 2 +- pkg/workflow/mcp_github_config.go | 2 +- pkg/workflow/mcp_renderer.go | 2 +- pkg/workflow/mcp_renderer_builtin.go | 2 +- pkg/workflow/mcp_scripts_generator.go | 2 +- pkg/workflow/mcp_scripts_parser.go | 2 +- pkg/workflow/mcp_setup_generator.go | 44 +++++++++---------- pkg/workflow/notify_comment.go | 9 ++-- pkg/workflow/pr.go | 8 ++-- pkg/workflow/prompt_constants.go | 2 +- pkg/workflow/redact_secrets.go | 4 +- pkg/workflow/repo_memory.go | 11 ++--- pkg/workflow/safe_jobs.go | 6 +-- pkg/workflow/safe_outputs_jobs.go | 8 ++-- pkg/workflow/setup_action_paths.go | 26 ++++++++++- pkg/workflow/step_order_validation.go | 2 +- pkg/workflow/template.go | 4 +- pkg/workflow/threat_detection.go | 8 ++-- pkg/workflow/unified_prompt_step.go | 2 +- 37 files changed, 190 insertions(+), 150 deletions(-) diff --git a/actions/setup/setup.sh b/actions/setup/setup.sh index 4e5ecfca15..d934b596df 100755 --- a/actions/setup/setup.sh +++ b/actions/setup/setup.sh @@ -14,19 +14,28 @@ set -e -# Helper: create directories with sudo on macOS where /opt is root-owned +# Helper: create directories, falling back to sudo when /opt (or similar) is root-owned create_dir() { - if [[ "$(uname -s)" == "Darwin" ]]; then - sudo mkdir -p "$1" - sudo chown -R "$(whoami)" "$1" - else - mkdir -p "$1" + if mkdir -p "$1" 2>/dev/null; then + return fi + # Fall back to sudo if regular mkdir fails (e.g., /opt is root-owned on Linux and macOS) + sudo mkdir -p "$1" + sudo chown -R "$(whoami)" "$1" } # Get destination from input or use default DESTINATION="${INPUT_DESTINATION:-/opt/gh-aw/actions}" +# Derive GH_AW_HOME from DESTINATION (strip /actions suffix) +# This allows setup.sh to be used with custom base directories +GH_AW_HOME="${DESTINATION%/actions}" + +# Export GH_AW_HOME to $GITHUB_ENV so all subsequent steps can use it +if [ -n "${GITHUB_ENV}" ]; then + echo "GH_AW_HOME=${GH_AW_HOME}" >> "${GITHUB_ENV}" +fi + # Get safe-output-custom-tokens flag from input (default: false) SAFE_OUTPUT_CUSTOM_TOKENS_ENABLED="${INPUT_SAFE_OUTPUT_CUSTOM_TOKENS:-false}" @@ -118,7 +127,7 @@ fi echo "Successfully copied ${FILE_COUNT} files to ${DESTINATION}" # Copy prompt markdown files to their expected directory -PROMPTS_DEST="/opt/gh-aw/prompts" +PROMPTS_DEST="${GH_AW_HOME}/prompts" echo "Copying prompt markdown files to ${PROMPTS_DEST}" create_dir "${PROMPTS_DEST}" @@ -140,7 +149,7 @@ else fi # Copy mcp-scripts files to their expected directory -MCP_SCRIPTS_DEST="/opt/gh-aw/mcp-scripts" +MCP_SCRIPTS_DEST="${GH_AW_HOME}/mcp-scripts" echo "Copying mcp-scripts files to ${MCP_SCRIPTS_DEST}" create_dir "${MCP_SCRIPTS_DEST}" @@ -194,7 +203,7 @@ fi echo "Successfully copied ${MCP_SCRIPTS_COUNT} mcp-scripts files to ${MCP_SCRIPTS_DEST}" # Copy safe-outputs files to their expected directory -SAFE_OUTPUTS_DEST="/opt/gh-aw/safeoutputs" +SAFE_OUTPUTS_DEST="${GH_AW_HOME}/safeoutputs" echo "Copying safe-outputs files to ${SAFE_OUTPUTS_DEST}" create_dir "${SAFE_OUTPUTS_DEST}" diff --git a/actions/setup/sh/start_mcp_gateway.sh b/actions/setup/sh/start_mcp_gateway.sh index f46547dad4..59ae5cd033 100755 --- a/actions/setup/sh/start_mcp_gateway.sh +++ b/actions/setup/sh/start_mcp_gateway.sh @@ -355,19 +355,19 @@ echo "Detected engine type: $ENGINE_TYPE" case "$ENGINE_TYPE" in copilot) echo "Using Copilot converter..." - bash /opt/gh-aw/actions/convert_gateway_config_copilot.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_copilot.sh ;; codex) echo "Using Codex converter..." - bash /opt/gh-aw/actions/convert_gateway_config_codex.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_codex.sh ;; claude) echo "Using Claude converter..." - bash /opt/gh-aw/actions/convert_gateway_config_claude.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_claude.sh ;; gemini) echo "Using Gemini converter..." - bash /opt/gh-aw/actions/convert_gateway_config_gemini.sh + bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_gemini.sh ;; *) echo "No agent-specific converter found for engine: $ENGINE_TYPE" @@ -384,13 +384,13 @@ echo "" # Check MCP server functionality echo "Checking MCP server functionality..." MCP_CHECK_START=$(date +%s%3N) -if [ -f /opt/gh-aw/actions/check_mcp_servers.sh ]; then +if [ -f ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh ]; then echo "Running MCP server checks..." # Store check diagnostic logs in /tmp/gh-aw/mcp-logs/start-gateway.log for artifact upload # Use tee to output to both stdout and the log file # Enable pipefail so the exit code comes from check_mcp_servers.sh, not tee set -o pipefail - if ! bash /opt/gh-aw/actions/check_mcp_servers.sh \ + if ! bash ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh \ /tmp/gh-aw/mcp-config/gateway-output.json \ "http://localhost:${MCP_GATEWAY_PORT}" \ "${MCP_GATEWAY_API_KEY}" 2>&1 | tee /tmp/gh-aw/mcp-logs/start-gateway.log; then @@ -402,7 +402,7 @@ if [ -f /opt/gh-aw/actions/check_mcp_servers.sh ]; then set +o pipefail print_timing $MCP_CHECK_START "MCP server connectivity checks" else - echo "WARNING: MCP server check script not found at /opt/gh-aw/actions/check_mcp_servers.sh" + echo "WARNING: MCP server check script not found at ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh" echo "Skipping MCP server functionality checks" fi echo "" diff --git a/actions/setup/sh/start_mcp_scripts_server.sh b/actions/setup/sh/start_mcp_scripts_server.sh index e1899ab3b2..0c79ae537c 100755 --- a/actions/setup/sh/start_mcp_scripts_server.sh +++ b/actions/setup/sh/start_mcp_scripts_server.sh @@ -4,20 +4,20 @@ set -e -cd /opt/gh-aw/mcp-scripts || exit 1 +cd ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts || exit 1 # Verify required files exist echo "Verifying mcp-scripts setup..." # Check core configuration files if [ ! -f mcp-server.cjs ]; then - echo "ERROR: mcp-server.cjs not found in /opt/gh-aw/mcp-scripts" - ls -la /opt/gh-aw/mcp-scripts/ + echo "ERROR: mcp-server.cjs not found in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ exit 1 fi if [ ! -f tools.json ]; then - echo "ERROR: tools.json not found in /opt/gh-aw/mcp-scripts" - ls -la /opt/gh-aw/mcp-scripts/ + echo "ERROR: tools.json not found in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ exit 1 fi @@ -48,13 +48,13 @@ for dep in "${REQUIRED_DEPS[@]}"; do done if [ ${#MISSING_FILES[@]} -gt 0 ]; then - echo "ERROR: Missing required dependency files in /opt/gh-aw/mcp-scripts/" + echo "ERROR: Missing required dependency files in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/" for file in "${MISSING_FILES[@]}"; do echo " - $file" done echo echo "Current directory contents:" - ls -la /opt/gh-aw/mcp-scripts/ + ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ echo echo "These files should have been copied by the Setup Scripts action." echo "This usually indicates a problem with the actions/setup step." diff --git a/actions/setup/sh/start_safe_outputs_server.sh b/actions/setup/sh/start_safe_outputs_server.sh index fe763edd86..ef1628de05 100755 --- a/actions/setup/sh/start_safe_outputs_server.sh +++ b/actions/setup/sh/start_safe_outputs_server.sh @@ -4,20 +4,20 @@ set -e -cd /opt/gh-aw/safeoutputs || exit 1 +cd ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs || exit 1 # Verify required files exist echo "Verifying safe-outputs setup..." # Check core files (mcp-server.cjs and tools.json are required) if [ ! -f mcp-server.cjs ]; then - echo "ERROR: mcp-server.cjs not found in /opt/gh-aw/safeoutputs" - ls -la /opt/gh-aw/safeoutputs/ + echo "ERROR: mcp-server.cjs not found in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ exit 1 fi if [ ! -f tools.json ]; then - echo "ERROR: tools.json not found in /opt/gh-aw/safeoutputs" - ls -la /opt/gh-aw/safeoutputs/ + echo "ERROR: tools.json not found in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs" + ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ exit 1 fi @@ -48,13 +48,13 @@ for dep in "${REQUIRED_DEPS[@]}"; do done if [ ${#MISSING_FILES[@]} -gt 0 ]; then - echo "ERROR: Missing required dependency files in /opt/gh-aw/safeoutputs/" + echo "ERROR: Missing required dependency files in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/" for file in "${MISSING_FILES[@]}"; do echo " - $file" done echo echo "Current directory contents:" - ls -la /opt/gh-aw/safeoutputs/ + ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ echo echo "These files should have been copied by the Setup Scripts action." echo "This usually indicates a problem with the actions/setup step." diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 01944ff92b..f9c3a23168 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -435,9 +435,12 @@ const DefaultAlpineImage = "alpine:latest" // This image is built during workflow execution and includes the gh-aw binary and dependencies const DevModeGhAwImage = "localhost/gh-aw:dev" +// GhAwHomeDefault is the default value for GH_AW_HOME when the env var is not set +const GhAwHomeDefault = "/opt/gh-aw" + // DefaultGhAwMount is the mount path for the gh-aw directory in containerized MCP servers -// The gh-aw binary and supporting files are mounted read-only from /opt/gh-aw -const DefaultGhAwMount = "/opt/gh-aw:/opt/gh-aw:ro" +// Uses shell expansion so docker gets the resolved path at runtime +const DefaultGhAwMount = "\\${GH_AW_HOME:-/opt/gh-aw}:\\${GH_AW_HOME:-/opt/gh-aw}:ro" // DefaultGhBinaryMount is the mount path for the gh CLI binary in containerized MCP servers // The gh CLI is required for agentic-workflows MCP server to run gh commands diff --git a/pkg/workflow/agentic_engine.go b/pkg/workflow/agentic_engine.go index 7c2db6a27c..cf3be4df51 100644 --- a/pkg/workflow/agentic_engine.go +++ b/pkg/workflow/agentic_engine.go @@ -501,7 +501,7 @@ func GenerateMultiSecretValidationStep(secretNames []string, engineName, docsURL stepLines := []string{ stepName, " id: validate-secret", - " run: /opt/gh-aw/actions/validate_multi_secret.sh " + scriptArgsStr, + " run: " + GhAwHome + "/actions/validate_multi_secret.sh " + scriptArgsStr, " env:", } diff --git a/pkg/workflow/cache.go b/pkg/workflow/cache.go index 3f6f8dd9b4..709c894192 100644 --- a/pkg/workflow/cache.go +++ b/pkg/workflow/cache.go @@ -360,7 +360,7 @@ func generateCacheMemorySteps(builder *strings.Builder, data *WorkflowData) { if useBackwardCompatiblePaths { // For single default cache, use the original directory for backward compatibility builder.WriteString(" - name: Create cache-memory directory\n") - builder.WriteString(" run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh\n") + builder.WriteString(" run: bash " + GhAwHome + "/actions/create_cache_memory_dir.sh\n") } else { fmt.Fprintf(builder, " - name: Create cache-memory directory (%s)\n", cache.ID) builder.WriteString(" run: |\n") @@ -498,9 +498,9 @@ func generateCacheMemoryValidation(builder *strings.Builder, data *WorkflowData) // Build validation script var validationScript strings.Builder - validationScript.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + validationScript.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") validationScript.WriteString(" setupGlobals(core, github, context, exec, io);\n") - validationScript.WriteString(" const { validateMemoryFiles } = require('/opt/gh-aw/actions/validate_memory_files.cjs');\n") + validationScript.WriteString(" const { validateMemoryFiles } = require(" + JsRequireGhAw("actions/validate_memory_files.cjs") + ");\n") fmt.Fprintf(&validationScript, " const allowedExtensions = %s;\n", allowedExtsJSON) fmt.Fprintf(&validationScript, " const result = validateMemoryFiles('%s', 'cache', allowedExtensions);\n", cacheDir) validationScript.WriteString(" if (!result.valid) {\n") @@ -770,9 +770,9 @@ func (c *Compiler) buildUpdateCacheMemoryJob(data *WorkflowData, threatDetection // Build validation script var validationScript strings.Builder - validationScript.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + validationScript.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") validationScript.WriteString(" setupGlobals(core, github, context, exec, io);\n") - validationScript.WriteString(" const { validateMemoryFiles } = require('/opt/gh-aw/actions/validate_memory_files.cjs');\n") + validationScript.WriteString(" const { validateMemoryFiles } = require(" + JsRequireGhAw("actions/validate_memory_files.cjs") + ");\n") fmt.Fprintf(&validationScript, " const allowedExtensions = %s;\n", allowedExtsJSON) fmt.Fprintf(&validationScript, " const result = validateMemoryFiles('%s', 'cache', allowedExtensions);\n", cacheDir) validationScript.WriteString(" if (!result.valid) {\n") @@ -844,11 +844,11 @@ func (c *Compiler) buildUpdateCacheMemoryJob(data *WorkflowData, threatDetection } // Set GH_AW_WORKFLOW_ID_SANITIZED so cache keys match those used in the agent job - var jobEnv map[string]string + jobEnv := map[string]string{ + "GH_AW_HOME": constants.GhAwHomeDefault, + } if data.WorkflowID != "" { - jobEnv = map[string]string{ - "GH_AW_WORKFLOW_ID_SANITIZED": SanitizeWorkflowIDForCacheKey(data.WorkflowID), - } + jobEnv["GH_AW_WORKFLOW_ID_SANITIZED"] = SanitizeWorkflowIDForCacheKey(data.WorkflowID) } job := &Job{ diff --git a/pkg/workflow/compiler_main_job.go b/pkg/workflow/compiler_main_job.go index 11d72efa9a..4a4a06a3b5 100644 --- a/pkg/workflow/compiler_main_job.go +++ b/pkg/workflow/compiler_main_job.go @@ -174,24 +174,17 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( } } - // Build job-level environment variables for safe outputs - var env map[string]string - if data.SafeOutputs != nil { - env = make(map[string]string) - - // Set GH_AW_SAFE_OUTPUTS to path in /opt (read-only mount for agent container) - // The MCP server writes agent outputs to this file during execution - // This file is in /opt to prevent the agent container from having write access - env["GH_AW_SAFE_OUTPUTS"] = "/opt/gh-aw/safeoutputs/outputs.jsonl" + // Build job-level environment variables + // Always initialize env with GH_AW_HOME so steps don't need the :-fallback syntax + env := map[string]string{ + "GH_AW_HOME": constants.GhAwHomeDefault, + } + if data.SafeOutputs != nil { // Set GH_AW_MCP_LOG_DIR for safe outputs MCP server logging // Store in mcp-logs directory so it's included in mcp-logs artifact env["GH_AW_MCP_LOG_DIR"] = "/tmp/gh-aw/mcp-logs/safeoutputs" - // Set config and tools paths (readonly files in /opt/gh-aw) - env["GH_AW_SAFE_OUTPUTS_CONFIG_PATH"] = "/opt/gh-aw/safeoutputs/config.json" - env["GH_AW_SAFE_OUTPUTS_TOOLS_PATH"] = "/opt/gh-aw/safeoutputs/tools.json" - // Add asset-related environment variables // These must always be set (even to empty) because awmg v0.0.12+ validates ${VAR} references if data.SafeOutputs.UploadAssets != nil { @@ -214,9 +207,6 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( // This contains the workflow ID with all hyphens removed and lowercased // Used in cache keys to avoid spaces and special characters if data.WorkflowID != "" { - if env == nil { - env = make(map[string]string) - } sanitizedID := SanitizeWorkflowIDForCacheKey(data.WorkflowID) env["GH_AW_WORKFLOW_ID_SANITIZED"] = sanitizedID } diff --git a/pkg/workflow/compiler_safe_outputs_job.go b/pkg/workflow/compiler_safe_outputs_job.go index f376b452eb..75eed2f444 100644 --- a/pkg/workflow/compiler_safe_outputs_job.go +++ b/pkg/workflow/compiler_safe_outputs_job.go @@ -268,7 +268,12 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa if len(c.generateCheckoutActionsFolder(data)) > 0 { insertIndex += 6 // Checkout step (6 lines: name, uses, with, sparse-checkout header, actions, persist-credentials) } - insertIndex += 4 // Setup step (4 lines: name, uses, with, destination) + enableCustomTokensForInsert := c.hasCustomTokenSafeOutputs(data.SafeOutputs) +if enableCustomTokensForInsert { +insertIndex += 4 // Setup step with custom tokens (4 lines: name, uses, with, safe-output-custom-tokens) +} else { +insertIndex += 2 // Setup step without custom tokens (2 lines: name, uses) +} } // Add artifact download steps count @@ -385,6 +390,9 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa func (c *Compiler) buildJobLevelSafeOutputEnvVars(data *WorkflowData, workflowID string) map[string]string { envVars := make(map[string]string) + // Set GH_AW_HOME so steps can use $GH_AW_HOME without the :-fallback syntax + envVars["GH_AW_HOME"] = constants.GhAwHomeDefault + // Set GH_AW_WORKFLOW_ID to the workflow ID (filename without extension) // This is used for branch naming in create_pull_request and other operations envVars["GH_AW_WORKFLOW_ID"] = fmt.Sprintf("%q", workflowID) diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index 918de3a949..bb04309b4f 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -508,13 +508,13 @@ func (c *Compiler) generatePrompt(yaml *strings.Builder, data *WorkflowData, pre yaml.WriteString(" - name: Validate prompt placeholders\n") yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/validate_prompt_placeholders.sh\n") // Print prompt (merged into prompt generation) yaml.WriteString(" - name: Print prompt\n") yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/print_prompt_summary.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/print_prompt_summary.sh\n") } func (c *Compiler) generatePostSteps(yaml *strings.Builder, data *WorkflowData) { if data.PostSteps != "" { @@ -665,7 +665,7 @@ func (c *Compiler) generateCreateAwInfo(yaml *strings.Builder, data *WorkflowDat fmt.Fprintf(yaml, " uses: %s\n", GetActionPin("actions/github-script")) yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/generate_aw_info.cjs") + ");\n") yaml.WriteString(" await main(core, context);\n") } @@ -724,9 +724,9 @@ func (c *Compiler) generateOutputCollectionStep(yaml *strings.Builder, data *Wor yaml.WriteString(" script: |\n") // Load script from external file using require() - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/collect_ndjson_output.cjs") + ");\n") yaml.WriteString(" await main();\n") } diff --git a/pkg/workflow/compiler_yaml_ai_execution.go b/pkg/workflow/compiler_yaml_ai_execution.go index c0ac972ff1..f1a0bcc085 100644 --- a/pkg/workflow/compiler_yaml_ai_execution.go +++ b/pkg/workflow/compiler_yaml_ai_execution.go @@ -47,10 +47,10 @@ func (c *Compiler) generateLogParsing(yaml *strings.Builder, engine CodingAgentE yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/" + parserScriptName + ".cjs');\n") + yaml.WriteString(" const { main } = require(" + GhAwHomeJS + " + '/actions/" + parserScriptName + ".cjs');\n") yaml.WriteString(" await main();\n") } @@ -65,10 +65,10 @@ func (c *Compiler) generateMCPScriptsLogParsing(yaml *strings.Builder) { yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load mcp-scripts log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/parse_mcp_scripts_logs.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -83,10 +83,10 @@ func (c *Compiler) generateMCPGatewayLogParsing(yaml *strings.Builder) { yaml.WriteString(" script: |\n") // Use the setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load MCP gateway log parser script from external file using require() - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/parse_mcp_gateway_log.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -108,7 +108,7 @@ func (c *Compiler) generateStopMCPGateway(yaml *strings.Builder, data *WorkflowD yaml.WriteString(" GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" bash /opt/gh-aw/actions/stop_mcp_gateway.sh \"$GATEWAY_PID\"\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/stop_mcp_gateway.sh \"$GATEWAY_PID\"\n") } // generateAgentStepSummaryAppend generates a step that appends the agent's GITHUB_STEP_SUMMARY @@ -120,5 +120,5 @@ func (c *Compiler) generateAgentStepSummaryAppend(yaml *strings.Builder) { yaml.WriteString(" - name: Append agent step summary\n") yaml.WriteString(" if: always()\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/append_agent_step_summary.sh\n") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/append_agent_step_summary.sh\n") } diff --git a/pkg/workflow/compiler_yaml_helpers.go b/pkg/workflow/compiler_yaml_helpers.go index 866e97a2dc..23a478c106 100644 --- a/pkg/workflow/compiler_yaml_helpers.go +++ b/pkg/workflow/compiler_yaml_helpers.go @@ -134,11 +134,11 @@ func generatePlaceholderSubstitutionStep(yaml *strings.Builder, expressionMappin yaml.WriteString(indent + " script: |\n") // Use setup_globals helper to make GitHub Actions objects available globally - yaml.WriteString(indent + " const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(indent + " const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(indent + " setupGlobals(core, github, context, exec, io);\n") yaml.WriteString(indent + " \n") // Use require() to load script from copied files - yaml.WriteString(indent + " const substitutePlaceholders = require('" + SetupActionDestination + "/substitute_placeholders.cjs');\n") + yaml.WriteString(indent + " const substitutePlaceholders = require(" + JsRequireGhAw("actions/substitute_placeholders.cjs") + ");\n") yaml.WriteString(indent + " \n") yaml.WriteString(indent + " // Call the substitution function\n") yaml.WriteString(indent + " return await substitutePlaceholders({\n") @@ -270,9 +270,9 @@ func generateGitHubScriptWithRequire(scriptPath string) string { var script strings.Builder // Use the setup_globals helper to store GitHub Actions objects in global scope - script.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + script.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") script.WriteString(" setupGlobals(core, github, context, exec, io);\n") - script.WriteString(" const { main } = require('" + SetupActionDestination + "/" + scriptPath + "');\n") + script.WriteString(" const { main } = require(" + JsRequireGhAw("actions/"+scriptPath) + ");\n") script.WriteString(" await main();\n") return script.String() @@ -308,7 +308,7 @@ func generateInlineGitHubScriptStep(stepName, script, condition string) string { // // Parameters: // - setupActionRef: The action reference for setup action (e.g., "./actions/setup" or "github/gh-aw/actions/setup@sha") -// - destination: The destination path where files should be copied (e.g., SetupActionDestination) +// - destination: Unused. Kept for API compatibility. The setup action defaults to /opt/gh-aw/actions. // - enableCustomTokens: Whether to enable custom-token support (installs @actions/github so handler_auth.cjs can create per-handler Octokit clients) // // Returns a slice of strings representing the YAML lines for the setup step. @@ -319,23 +319,23 @@ func (c *Compiler) generateSetupStep(setupActionRef string, destination string, " - name: Setup Scripts\n", " run: |\n", " bash /tmp/gh-aw/actions-source/actions/setup/setup.sh\n", - " env:\n", - fmt.Sprintf(" INPUT_DESTINATION: %s\n", destination), } if enableCustomTokens { + lines = append(lines, " env:\n") lines = append(lines, " INPUT_SAFE_OUTPUT_CUSTOM_TOKENS: 'true'\n") } return lines } - // Dev/Release mode: use the setup action + // Dev/Release mode: use the setup action. + // The destination defaults to /opt/gh-aw/actions in action.yml, which setup.sh uses + // to derive GH_AW_HOME and export it to $GITHUB_ENV for subsequent steps. lines := []string{ " - name: Setup Scripts\n", fmt.Sprintf(" uses: %s\n", setupActionRef), - " with:\n", - fmt.Sprintf(" destination: %s\n", destination), } if enableCustomTokens { + lines = append(lines, " with:\n") lines = append(lines, " safe-output-custom-tokens: 'true'\n") } return lines diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index b11f9eb5bf..cf38492252 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -117,9 +117,9 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/merge_remote_agent_github_folder.cjs") + ");\n") yaml.WriteString(" await main();\n") } @@ -178,7 +178,11 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat // Create /tmp/gh-aw/ base directory for all temporary files // This must be created before custom steps so they can use the temp directory yaml.WriteString(" - name: Create gh-aw temp directory\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh\n") + yaml.WriteString(" run: |\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/create_gh_aw_tmp_dir.sh\n") + yaml.WriteString(" echo \"GH_AW_SAFE_OUTPUTS=" + GhAwHome + "/safeoutputs/outputs.jsonl\" >> \"$GITHUB_ENV\"\n") + yaml.WriteString(" echo \"GH_AW_SAFE_OUTPUTS_CONFIG_PATH=" + GhAwHome + "/safeoutputs/config.json\" >> \"$GITHUB_ENV\"\n") + yaml.WriteString(" echo \"GH_AW_SAFE_OUTPUTS_TOOLS_PATH=" + GhAwHome + "/safeoutputs/tools.json\" >> \"$GITHUB_ENV\"\n") // Add custom steps if present if data.CustomSteps != "" { diff --git a/pkg/workflow/copilot_engine_execution.go b/pkg/workflow/copilot_engine_execution.go index ceeeb0d406..44313c2546 100644 --- a/pkg/workflow/copilot_engine_execution.go +++ b/pkg/workflow/copilot_engine_execution.go @@ -404,7 +404,7 @@ func generateInferenceAccessErrorDetectionStep() GitHubActionStep { step = append(step, " id: detect-inference-error") step = append(step, " if: always()") step = append(step, " continue-on-error: true") - step = append(step, " run: bash /opt/gh-aw/actions/detect_inference_access_error.sh") + step = append(step, " run: bash "+GhAwHome+"/actions/detect_inference_access_error.sh") return GitHubActionStep(step) } diff --git a/pkg/workflow/copilot_engine_installation.go b/pkg/workflow/copilot_engine_installation.go index 06062185fc..fd404608d9 100644 --- a/pkg/workflow/copilot_engine_installation.go +++ b/pkg/workflow/copilot_engine_installation.go @@ -161,7 +161,7 @@ func generateAWFInstallationStep(version string, agentConfig *AgentSandboxConfig stepLines := []string{ " - name: Install AWF binary", - " run: bash /opt/gh-aw/actions/install_awf_binary.sh " + version, + " run: bash " + GhAwHome + "/actions/install_awf_binary.sh " + version, } return GitHubActionStep(stepLines) diff --git a/pkg/workflow/copilot_installer.go b/pkg/workflow/copilot_installer.go index 451a190aa4..6c110c4dc1 100644 --- a/pkg/workflow/copilot_installer.go +++ b/pkg/workflow/copilot_installer.go @@ -22,7 +22,7 @@ func GenerateCopilotInstallerSteps(version, stepName string) []GitHubActionStep // This script includes retry logic for robustness against transient network failures stepLines := []string{ " - name: " + stepName, - " run: /opt/gh-aw/actions/install_copilot_cli.sh " + version, + " run: " + GhAwHome + "/actions/install_copilot_cli.sh " + version, } return []GitHubActionStep{GitHubActionStep(stepLines)} diff --git a/pkg/workflow/docker.go b/pkg/workflow/docker.go index 6a4339fb6e..f8f7df08e4 100644 --- a/pkg/workflow/docker.go +++ b/pkg/workflow/docker.go @@ -184,7 +184,7 @@ func generateDownloadDockerImagesStep(yaml *strings.Builder, dockerImages []stri } yaml.WriteString(" - name: Download container images\n") - yaml.WriteString(" run: bash /opt/gh-aw/actions/download_docker_images.sh") + yaml.WriteString(" run: bash " + GhAwHome + "/actions/download_docker_images.sh") for _, image := range dockerImages { fmt.Fprintf(yaml, " %s", image) } diff --git a/pkg/workflow/git_configuration_steps.go b/pkg/workflow/git_configuration_steps.go index 863492bd8b..277fa832ba 100644 --- a/pkg/workflow/git_configuration_steps.go +++ b/pkg/workflow/git_configuration_steps.go @@ -72,6 +72,6 @@ func getGitIdentityEnvVars() map[string]string { func (c *Compiler) generateGitCredentialsCleanerStep() []string { return []string{ " - name: Clean git credentials\n", - " run: bash /opt/gh-aw/actions/clean_git_credentials.sh\n", + " run: bash " + GhAwHome + "/actions/clean_git_credentials.sh\n", } } diff --git a/pkg/workflow/mcp_config_builtin.go b/pkg/workflow/mcp_config_builtin.go index 7f42d4e5ce..6369c767c3 100644 --- a/pkg/workflow/mcp_config_builtin.go +++ b/pkg/workflow/mcp_config_builtin.go @@ -216,7 +216,7 @@ func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bo // Release mode: Use minimal Alpine image with mounted binaries // The gh-aw binary is mounted from /opt/gh-aw and executed directly // Pass --validate-actor flag to enable role-based access control - entrypoint = "/opt/gh-aw/gh-aw" + entrypoint = GhAwHome + "/gh-aw" entrypointArgs = []string{"mcp-server", "--validate-actor"} // Mount gh-aw binary, gh CLI binary, workspace, and temp directory mounts = []string{constants.DefaultGhAwMount, constants.DefaultGhBinaryMount, constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go index bb9d783179..240ac6a39a 100644 --- a/pkg/workflow/mcp_github_config.go +++ b/pkg/workflow/mcp_github_config.go @@ -427,7 +427,7 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, } yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');\n") + yaml.WriteString(" const determineAutomaticLockdown = require(" + JsRequireGhAw("actions/determine_automatic_lockdown.cjs") + ");\n") yaml.WriteString(" await determineAutomaticLockdown(github, context, core);\n") } diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go index 9a2d1bfbd5..30a8f97f4b 100644 --- a/pkg/workflow/mcp_renderer.go +++ b/pkg/workflow/mcp_renderer.go @@ -206,7 +206,7 @@ func RenderJSONMCPConfig( delimiter := GenerateHeredocDelimiter("MCP_CONFIG") // Write the configuration to the YAML output - yaml.WriteString(" cat << " + delimiter + " | bash /opt/gh-aw/actions/start_mcp_gateway.sh\n") + yaml.WriteString(" cat << " + delimiter + " | bash " + GhAwHome + "/actions/start_mcp_gateway.sh\n") yaml.WriteString(generatedConfig) yaml.WriteString(" " + delimiter + "\n") diff --git a/pkg/workflow/mcp_renderer_builtin.go b/pkg/workflow/mcp_renderer_builtin.go index 796033a365..a8d65bcbaa 100644 --- a/pkg/workflow/mcp_renderer_builtin.go +++ b/pkg/workflow/mcp_renderer_builtin.go @@ -240,7 +240,7 @@ func (r *MCPConfigRendererUnified) renderAgenticWorkflowsTOML(yaml *strings.Buil mounts = []string{constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} } else { // Release mode: Use minimal Alpine image with mounted binaries - entrypoint = "/opt/gh-aw/gh-aw" + entrypoint = GhAwHome + "/gh-aw" entrypointArgs = []string{"mcp-server", "--validate-actor"} // Mount gh-aw binary, gh CLI binary, workspace, and temp directory mounts = []string{constants.DefaultGhAwMount, constants.DefaultGhBinaryMount, constants.DefaultWorkspaceMount, constants.DefaultTmpGhAwMount} diff --git a/pkg/workflow/mcp_scripts_generator.go b/pkg/workflow/mcp_scripts_generator.go index b109033d4e..780b90c8d9 100644 --- a/pkg/workflow/mcp_scripts_generator.go +++ b/pkg/workflow/mcp_scripts_generator.go @@ -164,7 +164,7 @@ const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: ` + GhAwHomeJS + ` + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); diff --git a/pkg/workflow/mcp_scripts_parser.go b/pkg/workflow/mcp_scripts_parser.go index cfdf94b49e..d9d26a4504 100644 --- a/pkg/workflow/mcp_scripts_parser.go +++ b/pkg/workflow/mcp_scripts_parser.go @@ -52,7 +52,7 @@ const ( ) // MCPScriptsDirectory is the directory where mcp-scripts files are generated -const MCPScriptsDirectory = "/opt/gh-aw/mcp-scripts" +const MCPScriptsDirectory = GhAwHome + "/mcp-scripts" // HasMCPScripts checks if mcp-scripts are configured func HasMCPScripts(mcpScripts *MCPScriptsConfig) bool { diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 6f17d1717c..cd5a285307 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -184,12 +184,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" fi\n") yaml.WriteString(" gh aw --version\n") yaml.WriteString(" # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization\n") - yaml.WriteString(" mkdir -p /opt/gh-aw\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "\n") yaml.WriteString(" GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1)\n") yaml.WriteString(" if [ -n \"$GH_AW_BIN\" ] && [ -f \"$GH_AW_BIN\" ]; then\n") - yaml.WriteString(" cp \"$GH_AW_BIN\" /opt/gh-aw/gh-aw\n") - yaml.WriteString(" chmod +x /opt/gh-aw/gh-aw\n") - yaml.WriteString(" echo \"Copied gh-aw binary to /opt/gh-aw/gh-aw\"\n") + yaml.WriteString(" cp \"$GH_AW_BIN\" " + GhAwHome + "/gh-aw\n") + yaml.WriteString(" chmod +x " + GhAwHome + "/gh-aw\n") + yaml.WriteString(" echo \"Copied gh-aw binary to " + GhAwHome + "/gh-aw\"\n") yaml.WriteString(" else\n") yaml.WriteString(" echo \"::error::Failed to find gh-aw binary for MCP server\"\n") yaml.WriteString(" exit 1\n") @@ -206,14 +206,14 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // AND exceeds 21,000 characters total. yaml.WriteString(" - name: Write Safe Outputs Config\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" mkdir -p /opt/gh-aw/safeoutputs\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs\n") // Write the safe-outputs configuration to config.json delimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_CONFIG") if safeOutputConfig != "" { - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/config.json << '" + delimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/config.json << '" + delimiter + "'\n") yaml.WriteString(" " + safeOutputConfig + "\n") yaml.WriteString(" " + delimiter + "\n") } @@ -255,7 +255,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" run: |\n") toolsDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_TOOLS") - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/tools.json << '" + toolsDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/tools.json << '" + toolsDelimiter + "'\n") // Write each line of the indented JSON with proper YAML indentation for line := range strings.SplitSeq(filteredToolsJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -263,7 +263,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" " + toolsDelimiter + "\n") validationDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_VALIDATION") - yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/validation.json << '" + validationDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/safeoutputs/validation.json << '" + validationDelimiter + "'\n") // Write each line of the indented JSON with proper YAML indentation for line := range strings.SplitSeq(validationConfigJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -302,8 +302,8 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" DEBUG: '*'\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}\n") yaml.WriteString(" GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json\n") - yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_TOOLS_PATH: " + GhAwHomeExpr + "/safeoutputs/tools.json\n") + yaml.WriteString(" GH_AW_SAFE_OUTPUTS_CONFIG_PATH: " + GhAwHomeExpr + "/safeoutputs/config.json\n") yaml.WriteString(" GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs\n") yaml.WriteString(" run: |\n") @@ -317,7 +317,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" \n") // Call the bundled shell script to start the server - yaml.WriteString(" bash /opt/gh-aw/actions/start_safe_outputs_server.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/start_safe_outputs_server.sh\n") yaml.WriteString(" \n") } @@ -327,12 +327,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Step 1: Write config files (JavaScript files are now copied by actions/setup) yaml.WriteString(" - name: Setup MCP Scripts Config\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" mkdir -p /opt/gh-aw/mcp-scripts/logs\n") + yaml.WriteString(" mkdir -p " + GhAwHome + "/mcp-scripts/logs\n") // Generate the tools.json configuration file toolsJSON := generateMCPScriptsToolsConfig(workflowData.MCPScripts) toolsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_TOOLS") - yaml.WriteString(" cat > /opt/gh-aw/mcp-scripts/tools.json << '" + toolsDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/mcp-scripts/tools.json << '" + toolsDelimiter + "'\n") for line := range strings.SplitSeq(toolsJSON, "\n") { yaml.WriteString(" " + line + "\n") } @@ -341,12 +341,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Generate the MCP server entry point mcpScriptsMCPServer := generateMCPScriptsMCPServerScript(workflowData.MCPScripts) serverDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SERVER") - yaml.WriteString(" cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << '" + serverDelimiter + "'\n") + yaml.WriteString(" cat > " + GhAwHome + "/mcp-scripts/mcp-server.cjs << '" + serverDelimiter + "'\n") for _, line := range FormatJavaScriptForYAML(mcpScriptsMCPServer) { yaml.WriteString(line) } yaml.WriteString(" " + serverDelimiter + "\n") - yaml.WriteString(" chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs\n") + yaml.WriteString(" chmod +x " + GhAwHome + "/mcp-scripts/mcp-server.cjs\n") yaml.WriteString(" \n") // Step 2: Generate tool files (js/py/sh) @@ -363,7 +363,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // JavaScript tool toolScript := generateMCPScriptJavaScriptToolScript(toolConfig) jsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_JS_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.cjs << '%s'\n", toolName, jsDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.cjs << '%s'\n", toolName, jsDelimiter) for _, line := range FormatJavaScriptForYAML(toolScript) { yaml.WriteString(line) } @@ -372,27 +372,27 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Shell script tool toolScript := generateMCPScriptShellToolScript(toolConfig) shDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SH_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.sh << '%s'\n", toolName, shDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.sh << '%s'\n", toolName, shDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " %s\n", shDelimiter) - fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/mcp-scripts/%s.sh\n", toolName) + fmt.Fprintf(yaml, " chmod +x "+GhAwHome+"/mcp-scripts/%s.sh\n", toolName) } else if toolConfig.Py != "" { // Python script tool toolScript := generateMCPScriptPythonToolScript(toolConfig) pyDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_PY_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.py << '%s'\n", toolName, pyDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.py << '%s'\n", toolName, pyDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " %s\n", pyDelimiter) - fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/mcp-scripts/%s.py\n", toolName) + fmt.Fprintf(yaml, " chmod +x "+GhAwHome+"/mcp-scripts/%s.py\n", toolName) } else if toolConfig.Go != "" { // Go script tool toolScript := generateMCPScriptGoToolScript(toolConfig) goDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_GO_" + strings.ToUpper(toolName)) - fmt.Fprintf(yaml, " cat > /opt/gh-aw/mcp-scripts/%s.go << '%s'\n", toolName, goDelimiter) + fmt.Fprintf(yaml, " cat > "+GhAwHome+"/mcp-scripts/%s.go << '%s'\n", toolName, goDelimiter) for line := range strings.SplitSeq(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } @@ -452,7 +452,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" \n") // Call the bundled shell script to start the server - yaml.WriteString(" bash /opt/gh-aw/actions/start_mcp_scripts_server.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/start_mcp_scripts_server.sh\n") yaml.WriteString(" \n") } diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go index e850f56acd..63b917607d 100644 --- a/pkg/workflow/notify_comment.go +++ b/pkg/workflow/notify_comment.go @@ -118,7 +118,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "missing_tool", MainJobName: mainJobName, CustomEnvVars: missingToolEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/missing_tool.cjs") + "); await main();", ScriptFile: "missing_tool.cjs", CustomToken: data.SafeOutputs.MissingTool.GitHubToken, }) @@ -229,7 +229,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_agent_failure", MainJobName: mainJobName, CustomEnvVars: agentFailureEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_agent_failure.cjs") + "); await main();", ScriptFile: "handle_agent_failure.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -259,7 +259,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_noop_message", MainJobName: mainJobName, CustomEnvVars: noopMessageEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_noop_message.cjs") + "); await main();", ScriptFile: "handle_noop_message.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -280,7 +280,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "handle_create_pr_error", MainJobName: mainJobName, CustomEnvVars: createPRErrorEnvVars, - Script: "const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/handle_create_pr_error.cjs") + "); await main();", ScriptFile: "handle_create_pr_error.cjs", CustomToken: "", // Will use default GITHUB_TOKEN }) @@ -430,6 +430,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa Environment: c.indentYAMLLines(resolveSafeOutputsEnvironment(data), " "), Permissions: permissions.RenderToYAML(), Concurrency: concurrency, + Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, Steps: steps, Needs: needs, Outputs: outputs, diff --git a/pkg/workflow/pr.go b/pkg/workflow/pr.go index 32d1f63bc0..0802b70c2d 100644 --- a/pkg/workflow/pr.go +++ b/pkg/workflow/pr.go @@ -66,16 +66,16 @@ func (c *Compiler) generatePRReadyForReviewCheckout(yaml *strings.Builder, data if useRequire { // Use require() to load script from copied files using setup_globals helper - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('" + SetupActionDestination + "/checkout_pr_branch.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/checkout_pr_branch.cjs") + ");\n") yaml.WriteString(" await main();\n") } else { // Inline JavaScript: Attach GitHub Actions builtin objects to global scope before script execution - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript for checking out the PR branch - WriteJavaScriptToYAML(yaml, "const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main();") + WriteJavaScriptToYAML(yaml, "const { main } = require("+JsRequireGhAw("actions/checkout_pr_branch.cjs")+"); await main();") } } diff --git a/pkg/workflow/prompt_constants.go b/pkg/workflow/prompt_constants.go index 2f9d9c39be..90cde28df3 100644 --- a/pkg/workflow/prompt_constants.go +++ b/pkg/workflow/prompt_constants.go @@ -4,7 +4,7 @@ import _ "embed" // Prompt file paths at runtime (copied by setup action to /opt/gh-aw/prompts) const ( - promptsDir = "/opt/gh-aw/prompts" + promptsDir = GhAwHome + "/prompts" prContextPromptFile = "pr_context_prompt.md" tempFolderPromptFile = "temp_folder_prompt.md" playwrightPromptFile = "playwright_prompt.md" diff --git a/pkg/workflow/redact_secrets.go b/pkg/workflow/redact_secrets.go index 95a3e5a1b0..b9485b2c7c 100644 --- a/pkg/workflow/redact_secrets.go +++ b/pkg/workflow/redact_secrets.go @@ -79,9 +79,9 @@ func (c *Compiler) generateSecretRedactionStep(yaml *strings.Builder, yamlConten // Load redact_secrets script from external file // Use setupGlobals helper to attach GitHub Actions builtin objects to global scope - yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/redact_secrets.cjs") + ");\n") yaml.WriteString(" await main();\n") // Add environment variables diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index 2e37ed9e92..0bd8b79507 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -543,7 +543,7 @@ func generateRepoMemorySteps(builder *strings.Builder, data *WorkflowData) { fmt.Fprintf(builder, " TARGET_REPO: %s\n", targetRepo) fmt.Fprintf(builder, " MEMORY_DIR: %s\n", memoryDir) fmt.Fprintf(builder, " CREATE_ORPHAN: %t\n", memory.CreateOrphan) - builder.WriteString(" run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh\n") + builder.WriteString(" run: bash " + GhAwHome + "/actions/clone_repo_memory_branch.sh\n") } } @@ -666,16 +666,16 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna if useRequire { // Use require() to load script from copied files using setup_globals helper - step.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") - step.WriteString(" const { main } = require('" + SetupActionDestination + "/push_repo_memory.cjs');\n") + step.WriteString(" const { main } = require(" + JsRequireGhAw("actions/push_repo_memory.cjs") + ");\n") step.WriteString(" await main();\n") } else { // Inline JavaScript: Attach GitHub Actions builtin objects to global scope before script execution - step.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") + step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript script with proper indentation - formattedScript := FormatJavaScriptForYAML("const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main();") + formattedScript := FormatJavaScriptForYAML("const { main } = require("+JsRequireGhAw("actions/push_repo_memory.cjs")+"); await main();") for _, line := range formattedScript { step.WriteString(line) } @@ -713,6 +713,7 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna If: jobCondition, Permissions: "permissions:\n contents: write", Concurrency: concurrency, + Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, Needs: []string{"agent"}, // Detection dependency added by caller if needed Steps: steps, Outputs: outputs, diff --git a/pkg/workflow/safe_jobs.go b/pkg/workflow/safe_jobs.go index 8c43aaf52b..b81a2c8d90 100644 --- a/pkg/workflow/safe_jobs.go +++ b/pkg/workflow/safe_jobs.go @@ -225,19 +225,19 @@ func (c *Compiler) buildSafeJobs(data *WorkflowData, threatDetectionEnabled bool agentArtifactPrefix := artifactPrefixExprForAgentDownstreamJob(data) downloadSteps := buildArtifactDownloadSteps(ArtifactDownloadConfig{ ArtifactName: agentArtifactPrefix + constants.AgentArtifactName, - DownloadPath: "/opt/gh-aw/safe-jobs/", + DownloadPath: GhAwHomeExpr + "/safe-jobs/", SetupEnvStep: false, // We'll handle env vars separately to add job-specific ones StepName: "Download agent output artifact", }) steps = append(steps, downloadSteps...) // the download artifacts always creates a folder, then unpacks in that folder - agentOutputArtifactFilename := "/opt/gh-aw/safe-jobs/" + constants.AgentOutputFilename + agentOutputArtifactFilename := GhAwHomeExpr + "/safe-jobs/" + constants.AgentOutputFilename // Add environment variables step with GH_AW_AGENT_OUTPUT and job-specific env vars steps = append(steps, " - name: Setup Safe Job Environment Variables\n") steps = append(steps, " run: |\n") - steps = append(steps, " find \"/opt/gh-aw/safe-jobs/\" -type f -print\n") + steps = append(steps, " find \"" + GhAwHomeExpr + "/safe-jobs/\" -type f -print\n") // Configure GH_AW_AGENT_OUTPUT to point to downloaded artifact file steps = append(steps, fmt.Sprintf(" echo \"GH_AW_AGENT_OUTPUT=%s\" >> \"$GITHUB_ENV\"\n", agentOutputArtifactFilename)) diff --git a/pkg/workflow/safe_outputs_jobs.go b/pkg/workflow/safe_outputs_jobs.go index 13e36cef30..5e660b3a56 100644 --- a/pkg/workflow/safe_outputs_jobs.go +++ b/pkg/workflow/safe_outputs_jobs.go @@ -322,9 +322,9 @@ func (c *Compiler) buildGitHubScriptStep(data *WorkflowData, config GitHubScript // Use require() if ScriptFile is specified, otherwise inline the script if config.ScriptFile != "" { - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s');\n", config.ScriptFile)) + steps = append(steps, fmt.Sprintf(" const { main } = require(%s);\n", JsRequireGhAw("actions/"+config.ScriptFile))) steps = append(steps, " await main();\n") } else { // Add the formatted JavaScript script (inline) @@ -375,9 +375,9 @@ func (c *Compiler) buildGitHubScriptStepWithoutDownload(data *WorkflowData, conf // Use require() if ScriptFile is specified, otherwise inline the script if config.ScriptFile != "" { - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s');\n", config.ScriptFile)) + steps = append(steps, fmt.Sprintf(" const { main } = require(%s);\n", JsRequireGhAw("actions/"+config.ScriptFile))) steps = append(steps, " await main();\n") } else { // Add the formatted JavaScript script (inline) diff --git a/pkg/workflow/setup_action_paths.go b/pkg/workflow/setup_action_paths.go index 16736ac89d..e9271e766c 100644 --- a/pkg/workflow/setup_action_paths.go +++ b/pkg/workflow/setup_action_paths.go @@ -1,5 +1,29 @@ package workflow +import "fmt" + +// GhAwHome is the shell expression for GH_AW_HOME. +// Use this in bash `run:` contexts where shell variable expansion occurs. +// The job-level env sets GH_AW_HOME to /opt/gh-aw by default. +const GhAwHome = "${GH_AW_HOME}" + +// GhAwHomeJS is the JavaScript expression for GH_AW_HOME. +// Use this inside require() or other JS expressions in github-script steps. +// The job-level env sets GH_AW_HOME to /opt/gh-aw by default. +const GhAwHomeJS = "process.env.GH_AW_HOME" + +// GhAwHomeExpr is the GitHub Actions expression for GH_AW_HOME. +// Use this in YAML env: blocks where shell variable expansion does NOT occur. +// GitHub Actions evaluates ${{ env.VAR }} before passing values to steps. +const GhAwHomeExpr = "${{ env.GH_AW_HOME }}" + // SetupActionDestination is the path where the setup action copies script files // on the agent runner (e.g. /opt/gh-aw/actions). -const SetupActionDestination = "/opt/gh-aw/actions" +// This is a shell expression expanded at runtime. +const SetupActionDestination = GhAwHome + "/actions" + +// JsRequireGhAw generates a JavaScript require() argument expression for a file +// under GH_AW_HOME. The relativePath should be like "actions/foo.cjs". +func JsRequireGhAw(relativePath string) string { + return fmt.Sprintf("%s + '/%s'", GhAwHomeJS, relativePath) +} diff --git a/pkg/workflow/step_order_validation.go b/pkg/workflow/step_order_validation.go index 61e4d5c5e8..dda7740b68 100644 --- a/pkg/workflow/step_order_validation.go +++ b/pkg/workflow/step_order_validation.go @@ -180,7 +180,7 @@ func (t *StepOrderTracker) findUnscannablePaths(artifactUploads []StepRecord) [] func isPathScannedBySecretRedaction(path string) bool { // Paths must be under /tmp/gh-aw/ or /opt/gh-aw/ to be scanned // Accept both literal paths and environment variable references - if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") { + if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") && !strings.HasPrefix(path, "${GH_AW_HOME") { // Check if it's an environment variable that might resolve to /tmp/gh-aw/ or /opt/gh-aw/ // For now, we'll allow ${{ env.* }} patterns through as we can't resolve them at compile time // Assume environment variables that might contain /tmp/gh-aw or /opt/gh-aw paths are safe diff --git a/pkg/workflow/template.go b/pkg/workflow/template.go index 9bea3393b4..eaa81d6eb1 100644 --- a/pkg/workflow/template.go +++ b/pkg/workflow/template.go @@ -123,8 +123,8 @@ func (c *Compiler) generateInterpolationAndTemplateStep(yaml *strings.Builder, e // Load interpolate_prompt script from external file // Use setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');\n") + yaml.WriteString(" const { main } = require(" + JsRequireGhAw("actions/interpolate_prompt.cjs") + ");\n") yaml.WriteString(" await main();\n") } diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index e72f490661..3ebfe4940e 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -287,9 +287,9 @@ func (c *Compiler) buildThreatDetectionAnalysisStep(data *WorkflowData) []string func (c *Compiler) buildSetupScriptRequire() string { // Build a simple require statement that calls the main function // The template is now read from file at runtime by the JavaScript module - script := `const { setupGlobals } = require('` + SetupActionDestination + `/setup_globals.cjs'); + script := `const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); -const { main } = require('` + SetupActionDestination + `/setup_threat_detection.cjs'); +const { main } = require(` + JsRequireGhAw("actions/setup_threat_detection.cjs") + `); await main();` return script @@ -434,9 +434,9 @@ func (c *Compiler) buildWorkflowContextEnvVars(data *WorkflowData) []string { // buildResultsParsingScriptRequire creates the parsing script that requires the .cjs module func (c *Compiler) buildResultsParsingScriptRequire() string { // Build a simple require statement that calls the main function - script := `const { setupGlobals } = require('` + SetupActionDestination + `/setup_globals.cjs'); + script := `const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); -const { main } = require('` + SetupActionDestination + `/parse_threat_detection_results.cjs'); +const { main } = require(` + JsRequireGhAw("actions/parse_threat_detection_results.cjs") + `); await main();` return script diff --git a/pkg/workflow/unified_prompt_step.go b/pkg/workflow/unified_prompt_step.go index d045c04634..1adba213e4 100644 --- a/pkg/workflow/unified_prompt_step.go +++ b/pkg/workflow/unified_prompt_step.go @@ -455,7 +455,7 @@ func (c *Compiler) generateUnifiedPromptCreationStep(yaml *strings.Builder, buil } yaml.WriteString(" run: |\n") - yaml.WriteString(" bash /opt/gh-aw/actions/create_prompt_first.sh\n") + yaml.WriteString(" bash " + GhAwHome + "/actions/create_prompt_first.sh\n") yaml.WriteString(" {\n") // Track if we're inside a heredoc From 9d3ac6b814ab1283ef347c6628ddd3c77916fc75 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 13 Mar 2026 21:39:37 +0000 Subject: [PATCH 3/6] Add changeset [skip-ci] --- .changeset/patch-gh-aw-home-path-constants.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/patch-gh-aw-home-path-constants.md diff --git a/.changeset/patch-gh-aw-home-path-constants.md b/.changeset/patch-gh-aw-home-path-constants.md new file mode 100644 index 0000000000..8bfed0531e --- /dev/null +++ b/.changeset/patch-gh-aw-home-path-constants.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Replaced hardcoded `/opt/gh-aw/` paths with shared `GhAwHome` constants and `GH_AW_HOME`-based path resolution across setup scripts and workflow compilation. From c2d6ac2f8e0b17eeb80e8ec54e011b4127fb2b84 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 21:55:28 +0000 Subject: [PATCH 4/6] chore: recompile all 173 workflow lock files with GH_AW_HOME paths Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 87 ++++---- .../agent-performance-analyzer.lock.yml | 155 +++++++------ .../workflows/agent-persona-explorer.lock.yml | 152 ++++++------- .github/workflows/ai-moderator.lock.yml | 155 ++++++------- .github/workflows/archie.lock.yml | 149 ++++++------- .github/workflows/artifacts-summary.lock.yml | 129 ++++++----- .github/workflows/audit-workflows.lock.yml | 160 +++++++------ .github/workflows/auto-triage-issues.lock.yml | 143 ++++++------ .github/workflows/blog-auditor.lock.yml | 129 ++++++----- .github/workflows/bot-detection.lock.yml | 123 +++++----- .github/workflows/brave.lock.yml | 149 ++++++------- .../breaking-change-checker.lock.yml | 143 ++++++------ .github/workflows/changeset.lock.yml | 143 ++++++------ .../workflows/chroma-issue-indexer.lock.yml | 75 ++++--- .github/workflows/ci-coach.lock.yml | 142 ++++++------ .github/workflows/ci-doctor.lock.yml | 148 ++++++------ .../claude-code-user-docs-review.lock.yml | 134 ++++++----- .../cli-consistency-checker.lock.yml | 129 ++++++----- .../workflows/cli-version-checker.lock.yml | 134 ++++++----- .github/workflows/cloclo.lock.yml | 170 +++++++------- .../workflows/code-scanning-fixer.lock.yml | 164 +++++++------- .github/workflows/code-simplifier.lock.yml | 147 ++++++------ .../codex-github-remote-mcp-test.lock.yml | 69 +++--- .../commit-changes-analyzer.lock.yml | 127 ++++++----- .../constraint-solving-potd.lock.yml | 134 ++++++----- .github/workflows/contribution-check.lock.yml | 129 ++++++----- .../workflows/copilot-agent-analysis.lock.yml | 146 ++++++------ .../copilot-cli-deep-research.lock.yml | 141 ++++++------ .../copilot-pr-merged-report.lock.yml | 158 +++++++------ .../copilot-pr-nlp-analysis.lock.yml | 154 ++++++------- .../copilot-pr-prompt-analysis.lock.yml | 148 ++++++------ .../copilot-session-insights.lock.yml | 152 ++++++------- .github/workflows/craft.lock.yml | 151 ++++++------- .../daily-architecture-diagram.lock.yml | 142 ++++++------ .../daily-assign-issue-to-user.lock.yml | 129 ++++++----- .github/workflows/daily-choice-test.lock.yml | 133 ++++++----- .../workflows/daily-cli-performance.lock.yml | 167 +++++++------- .../workflows/daily-cli-tools-tester.lock.yml | 139 ++++++------ .github/workflows/daily-code-metrics.lock.yml | 152 ++++++------- .../workflows/daily-compiler-quality.lock.yml | 136 ++++++------ .../daily-copilot-token-report.lock.yml | 154 ++++++------- .github/workflows/daily-doc-healer.lock.yml | 166 +++++++------- .github/workflows/daily-doc-updater.lock.yml | 162 +++++++------- .github/workflows/daily-fact.lock.yml | 127 ++++++----- .github/workflows/daily-file-diet.lock.yml | 139 ++++++------ .../workflows/daily-firewall-report.lock.yml | 152 ++++++------- .../workflows/daily-function-namer.lock.yml | 134 ++++++----- .../workflows/daily-issues-report.lock.yml | 144 ++++++------ .../daily-malicious-code-scan.lock.yml | 121 +++++----- .../daily-mcp-concurrency-analysis.lock.yml | 138 ++++++------ .../daily-multi-device-docs-tester.lock.yml | 135 ++++++----- .github/workflows/daily-news.lock.yml | 154 ++++++------- .../daily-observability-report.lock.yml | 141 ++++++------ .../daily-performance-summary.lock.yml | 174 +++++++-------- .github/workflows/daily-regulatory.lock.yml | 161 +++++++------- .../daily-rendering-scripts-verifier.lock.yml | 158 +++++++------ .../workflows/daily-repo-chronicle.lock.yml | 142 ++++++------ .../daily-safe-output-optimizer.lock.yml | 152 ++++++------- .../daily-safe-outputs-conformance.lock.yml | 127 ++++++----- .../workflows/daily-secrets-analysis.lock.yml | 129 ++++++----- .../daily-security-red-team.lock.yml | 127 ++++++----- .github/workflows/daily-semgrep-scan.lock.yml | 131 ++++++----- .../daily-syntax-error-quality.lock.yml | 127 ++++++----- .../daily-team-evolution-insights.lock.yml | 127 ++++++----- .github/workflows/daily-team-status.lock.yml | 137 ++++++------ .../daily-testify-uber-super-expert.lock.yml | 151 ++++++------- .../workflows/daily-workflow-updater.lock.yml | 135 ++++++----- .github/workflows/dead-code-remover.lock.yml | 152 ++++++------- .github/workflows/deep-report.lock.yml | 160 +++++++------ .github/workflows/delight.lock.yml | 141 ++++++------ .github/workflows/dependabot-burner.lock.yml | 137 ++++++------ .../workflows/dependabot-go-checker.lock.yml | 131 ++++++----- .github/workflows/dev-hawk.lock.yml | 143 ++++++------ .github/workflows/dev.lock.yml | 129 ++++++----- .../developer-docs-consolidator.lock.yml | 174 +++++++-------- .github/workflows/dictation-prompt.lock.yml | 157 +++++++------ .../workflows/discussion-task-miner.lock.yml | 139 ++++++------ .github/workflows/docs-noob-tester.lock.yml | 137 ++++++------ .github/workflows/draft-pr-cleanup.lock.yml | 129 ++++++----- .../duplicate-code-detector.lock.yml | 131 ++++++----- .../example-permissions-warning.lock.yml | 73 +++--- .../example-workflow-analyzer.lock.yml | 135 ++++++----- .github/workflows/firewall-escape.lock.yml | 158 +++++++------ .github/workflows/firewall.lock.yml | 73 +++--- .../workflows/functional-pragmatist.lock.yml | 137 ++++++------ .../github-mcp-structural-analysis.lock.yml | 140 ++++++------ .../github-mcp-tools-report.lock.yml | 140 ++++++------ .../github-remote-mcp-auth-test.lock.yml | 131 ++++++----- .../workflows/glossary-maintainer.lock.yml | 182 ++++++++------- .github/workflows/go-fan.lock.yml | 134 ++++++----- .github/workflows/go-logger.lock.yml | 166 +++++++------- .../workflows/go-pattern-detector.lock.yml | 127 ++++++----- .github/workflows/gpclean.lock.yml | 138 ++++++------ .github/workflows/grumpy-reviewer.lock.yml | 156 +++++++------ .github/workflows/hourly-ci-cleaner.lock.yml | 141 ++++++------ .../workflows/instructions-janitor.lock.yml | 140 ++++++------ .github/workflows/issue-arborist.lock.yml | 125 +++++------ .github/workflows/issue-monster.lock.yml | 147 ++++++------ .github/workflows/issue-triage-agent.lock.yml | 125 +++++------ .github/workflows/jsweep.lock.yml | 144 ++++++------ .../workflows/layout-spec-maintainer.lock.yml | 137 ++++++------ .github/workflows/lockfile-stats.lock.yml | 134 ++++++----- .github/workflows/mcp-inspector.lock.yml | 158 +++++++------ .github/workflows/mergefest.lock.yml | 153 ++++++------- .github/workflows/metrics-collector.lock.yml | 99 ++++----- .../workflows/notion-issue-summary.lock.yml | 129 ++++++----- .github/workflows/org-health-report.lock.yml | 142 ++++++------ .github/workflows/pdf-summary.lock.yml | 158 +++++++------ .github/workflows/plan.lock.yml | 149 ++++++------- .github/workflows/poem-bot.lock.yml | 174 +++++++-------- .github/workflows/portfolio-analyst.lock.yml | 152 ++++++------- .../workflows/pr-nitpick-reviewer.lock.yml | 158 +++++++------ .github/workflows/pr-triage-agent.lock.yml | 141 ++++++------ .../prompt-clustering-analysis.lock.yml | 142 ++++++------ .github/workflows/python-data-charts.lock.yml | 152 ++++++------- .github/workflows/q.lock.yml | 172 +++++++------- .github/workflows/refiner.lock.yml | 145 ++++++------ .github/workflows/release.lock.yml | 137 ++++++------ .../workflows/repo-audit-analyzer.lock.yml | 136 ++++++------ .github/workflows/repo-tree-map.lock.yml | 131 ++++++----- .../repository-quality-improver.lock.yml | 136 ++++++------ .github/workflows/research.lock.yml | 131 ++++++----- .github/workflows/safe-output-health.lock.yml | 142 ++++++------ .../schema-consistency-checker.lock.yml | 134 ++++++----- .github/workflows/scout.lock.yml | 152 ++++++------- ...ecurity-alert-burndown.campaign.g.lock.yml | 138 ++++++------ .../workflows/security-compliance.lock.yml | 147 ++++++------ .github/workflows/security-review.lock.yml | 166 +++++++------- .../semantic-function-refactor.lock.yml | 127 ++++++----- .github/workflows/sergo.lock.yml | 134 ++++++----- .../workflows/slide-deck-maintainer.lock.yml | 156 +++++++------ .../workflows/smoke-agent-all-merged.lock.yml | 145 ++++++------ .../workflows/smoke-agent-all-none.lock.yml | 145 ++++++------ .../smoke-agent-public-approved.lock.yml | 149 ++++++------- .../smoke-agent-public-none.lock.yml | 145 ++++++------ .../smoke-agent-scoped-approved.lock.yml | 145 ++++++------ .../workflows/smoke-call-workflow.lock.yml | 139 ++++++------ .github/workflows/smoke-claude.lock.yml | 210 +++++++++--------- .github/workflows/smoke-codex.lock.yml | 180 ++++++++------- .github/workflows/smoke-copilot-arm.lock.yml | 210 +++++++++--------- .github/workflows/smoke-copilot.lock.yml | 210 +++++++++--------- .../smoke-create-cross-repo-pr.lock.yml | 152 ++++++------- .github/workflows/smoke-gemini.lock.yml | 178 +++++++-------- .github/workflows/smoke-multi-pr.lock.yml | 159 +++++++------ .github/workflows/smoke-project.lock.yml | 158 +++++++------ .github/workflows/smoke-temporary-id.lock.yml | 153 ++++++------- .github/workflows/smoke-test-tools.lock.yml | 149 ++++++------- .../smoke-update-cross-repo-pr.lock.yml | 155 +++++++------ .../smoke-workflow-call-with-inputs.lock.yml | 143 ++++++------ .../workflows/smoke-workflow-call.lock.yml | 141 ++++++------ .../workflows/stale-repo-identifier.lock.yml | 142 ++++++------ .../workflows/static-analysis-report.lock.yml | 142 ++++++------ .../workflows/step-name-alignment.lock.yml | 134 ++++++----- .github/workflows/sub-issue-closer.lock.yml | 131 ++++++----- .github/workflows/super-linter.lock.yml | 138 ++++++------ .../workflows/technical-doc-writer.lock.yml | 188 ++++++++-------- .github/workflows/terminal-stylist.lock.yml | 131 ++++++----- .../test-create-pr-error-handling.lock.yml | 140 ++++++------ .github/workflows/test-dispatcher.lock.yml | 131 ++++++----- .../test-project-url-default.lock.yml | 130 ++++++----- .github/workflows/test-workflow.lock.yml | 73 +++--- .github/workflows/tidy.lock.yml | 159 +++++++------ .github/workflows/typist.lock.yml | 127 ++++++----- .../workflows/ubuntu-image-analyzer.lock.yml | 147 ++++++------ .github/workflows/unbloat-docs.lock.yml | 188 ++++++++-------- .github/workflows/video-analyzer.lock.yml | 131 ++++++----- .../weekly-editors-health-check.lock.yml | 145 ++++++------ .../workflows/weekly-issue-summary.lock.yml | 138 ++++++------ .../weekly-safe-outputs-spec-review.lock.yml | 135 ++++++----- .github/workflows/workflow-generator.lock.yml | 161 +++++++------- .../workflow-health-manager.lock.yml | 149 ++++++------- .../workflows/workflow-normalizer.lock.yml | 139 ++++++------ .../workflow-skill-extractor.lock.yml | 131 ++++++----- pkg/workflow/compiler_safe_outputs_job.go | 10 +- pkg/workflow/repo_memory.go | 2 +- pkg/workflow/safe_jobs.go | 2 +- 176 files changed, 12010 insertions(+), 12746 deletions(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index c79c1a81b5..225fb68e2c 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -70,8 +70,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,11 +91,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -118,9 +116,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -128,18 +126,18 @@ jobs: GH_AW_WORKFLOW_FILE: "ace-editor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -153,14 +151,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -204,9 +202,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -224,10 +222,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -248,11 +246,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -273,6 +271,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: aceeditor outputs: inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error || 'false' }} @@ -287,14 +286,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -308,9 +309,9 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -319,10 +320,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -347,7 +348,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -375,7 +376,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -411,7 +412,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -449,15 +450,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -467,7 +468,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -475,18 +476,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -566,8 +567,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -576,9 +575,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -587,8 +586,8 @@ jobs: GH_AW_COMMANDS: "[\"ace\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 9436023763..91adcfc78d 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +85,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "agent-performance-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,16 +120,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, missing_tool, missing_data, noop @@ -181,9 +179,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +233,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -267,10 +265,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: agentperformanceanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,8 +287,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -328,7 +322,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -338,7 +336,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -361,14 +359,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -377,10 +375,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -395,27 +393,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":10},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Labels [\"cookie\"] will be automatically added.", @@ -647,7 +645,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -809,8 +807,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -821,7 +819,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -851,7 +849,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -898,7 +896,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -936,7 +934,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -974,15 +972,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -991,7 +989,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1008,9 +1006,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1019,18 +1017,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1114,9 +1112,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1167,9 +1165,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1215,6 +1213,8 @@ jobs: concurrency: group: "gh-aw-conclusion-agent-performance-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1229,8 +1229,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1254,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1267,9 +1265,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1294,9 +1292,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1311,9 +1309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1333,8 +1331,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1343,9 +1339,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1357,6 +1353,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1371,8 +1369,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1415,9 +1411,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1433,6 +1429,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agent-performance-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "agent-performance-analyzer" GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator" outputs: @@ -1456,8 +1453,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1483,9 +1478,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 4e13982dca..4d1a5c7402 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "agent-persona-explorer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,16 +125,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -186,9 +184,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +206,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -265,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: agentpersonaexplorer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,8 +285,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -326,10 +320,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -359,14 +357,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -375,10 +373,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -393,27 +391,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"agent-research\".", @@ -544,7 +542,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -655,8 +653,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -667,7 +665,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -697,7 +695,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -744,7 +742,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -781,7 +779,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -819,15 +817,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -837,7 +835,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -854,9 +852,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -865,18 +863,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -957,9 +955,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1009,9 +1007,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1056,6 +1054,8 @@ jobs: concurrency: group: "gh-aw-conclusion-agent-persona-explorer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1070,8 +1070,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1095,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1108,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1132,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1149,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1171,8 +1169,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1181,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1198,6 +1194,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agent-persona-explorer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "agent-persona-explorer" GH_AW_WORKFLOW_NAME: "Agent Persona Explorer" outputs: @@ -1217,8 +1214,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1263,6 +1258,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: agentpersonaexplorer steps: - name: Checkout actions folder @@ -1274,8 +1270,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index a67ec4762c..df0ba85124 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -83,8 +83,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -106,11 +104,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -129,18 +127,18 @@ jobs: GH_AW_WORKFLOW_FILE: "ai-moderator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -148,9 +146,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/lock-issue.cjs'); await main(); - name: Create prompt with built-in context env: @@ -166,16 +164,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_labels, hide_comment, missing_tool, missing_data, noop @@ -224,9 +222,9 @@ jobs: GH_AW_EXPR_799BE623: ${{ github.event.issue.number || github.event.pull_request.number }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -247,10 +245,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -274,11 +272,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -301,10 +299,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: aimoderator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -322,13 +318,15 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Cache cache-memory file share data uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -358,9 +356,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -370,7 +368,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -379,21 +377,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"allowed":["spam","ai-generated","link-spam","ai-inspected"],"max":3,"target":"*"},"hide_comment":{"allowed_reasons":["spam"],"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead. CONSTRAINTS: Only these labels are allowed: [\"spam\" \"ai-generated\" \"link-spam\" \"ai-inspected\"]. Target: *.", @@ -555,7 +553,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -683,8 +681,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -695,7 +693,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -748,7 +746,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -782,7 +780,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -827,15 +825,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -846,7 +844,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -863,9 +861,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -874,18 +872,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -907,9 +905,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { validateMemoryFiles } = require('/opt/gh-aw/actions/validate_memory_files.cjs'); + const { validateMemoryFiles } = require(process.env.GH_AW_HOME + '/actions/validate_memory_files.cjs'); const allowedExtensions = [".json"]; const result = validateMemoryFiles('/tmp/gh-aw/cache-memory', 'cache', allowedExtensions); if (!result.valid) { @@ -949,6 +947,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ai-moderator" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -963,8 +963,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -988,9 +986,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1001,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1022,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1039,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1062,8 +1060,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check user rate limit id: check_rate_limit uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1075,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); - name: Check skip-roles id: check_skip_roles @@ -1088,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_roles.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_roles.cjs'); await main(); - name: Check skip-bots id: check_skip_bots @@ -1100,9 +1096,9 @@ jobs: GH_AW_WORKFLOW_NAME: "AI Moderator" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_bots.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_bots.cjs'); await main(); safe_outputs: @@ -1121,6 +1117,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ai-moderator" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "ai-moderator" GH_AW_WORKFLOW_NAME: "AI Moderator" outputs: @@ -1140,8 +1137,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1167,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1199,16 +1194,14 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/unlock-issue.cjs'); await main(); diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 07c9b53d6c..26e8ac4b7d 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -87,8 +87,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -110,7 +108,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -130,9 +128,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -140,18 +138,18 @@ jobs: GH_AW_WORKFLOW_FILE: "archie.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -169,15 +167,15 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -212,7 +210,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -235,9 +233,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -258,10 +256,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -285,11 +283,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -314,10 +312,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: archie outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -338,14 +334,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -368,14 +366,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -384,21 +382,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -532,7 +530,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -635,8 +633,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -647,7 +645,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -676,7 +674,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -719,7 +717,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -757,7 +755,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -795,15 +793,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -812,7 +810,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -830,9 +828,9 @@ jobs: GH_AW_COMMAND: archie with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -841,18 +839,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -927,9 +925,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -980,9 +978,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1027,6 +1025,8 @@ jobs: concurrency: group: "gh-aw-conclusion-archie" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1041,8 +1041,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1066,9 +1064,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1079,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1101,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1118,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1146,8 +1144,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1156,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1167,9 +1163,9 @@ jobs: GH_AW_COMMANDS: "[\"archie\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1185,6 +1181,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/archie" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *Diagram rendered by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔧 *Workflow sync report by [{workflow_name}]({run_url}) for {repository}*\",\"footerWorkflowRecompileComment\":\"\\u003e 🔄 *Update from [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"📐 [{workflow_name}]({run_url}) is analyzing the architecture for this {event_type}...\",\"runSuccess\":\"🎨 [{workflow_name}]({run_url}) has completed the architecture visualization. ✅\",\"runFailure\":\"📐 [{workflow_name}]({run_url}) encountered an issue and could not complete the architecture diagram. Check the [run logs]({run_url}) for details.\"}" GH_AW_WORKFLOW_ID: "archie" GH_AW_WORKFLOW_NAME: "Archie" @@ -1207,8 +1204,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1234,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 997ca71ab8..0e9ac160f0 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +84,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "artifacts-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,15 +118,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -182,9 +180,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -251,10 +249,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: artifactssummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,14 +271,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -305,14 +303,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -321,21 +319,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\".", @@ -466,7 +464,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -577,8 +575,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -589,7 +587,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -618,7 +616,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -653,7 +651,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -691,7 +689,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -729,15 +727,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -746,7 +744,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -763,9 +761,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -774,18 +772,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -860,9 +858,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -913,9 +911,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -959,6 +957,8 @@ jobs: concurrency: group: "gh-aw-conclusion-artifacts-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -973,8 +973,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -998,9 +996,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1011,9 +1009,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1034,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1051,9 +1049,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1068,6 +1066,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/artifacts-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "artifacts-summary" GH_AW_WORKFLOW_NAME: "Artifacts Summary" outputs: @@ -1087,8 +1086,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1114,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index b98c9fe3be..31ae971cad 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "audit-workflows.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,17 +126,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -197,9 +195,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -224,10 +222,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -255,11 +253,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -285,10 +283,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: auditworkflows outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -308,8 +304,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -345,7 +339,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -373,7 +371,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -390,7 +388,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -413,9 +411,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -423,7 +421,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -434,10 +432,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -452,27 +450,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -643,7 +641,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -763,8 +761,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -775,7 +773,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -807,7 +805,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -852,7 +850,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -980,15 +978,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -998,7 +996,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1015,9 +1013,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1026,18 +1024,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1134,9 +1132,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1197,9 +1195,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1246,6 +1244,8 @@ jobs: concurrency: group: "gh-aw-conclusion-audit-workflows" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1260,8 +1260,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1286,9 +1284,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1300,9 +1298,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1328,9 +1326,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1346,9 +1344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1360,6 +1358,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1374,8 +1374,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1418,9 +1416,9 @@ jobs: FILE_GLOB_FILTER: "memory/audit-workflows/*.json memory/audit-workflows/*.jsonl memory/audit-workflows/*.csv memory/audit-workflows/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1435,6 +1433,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/audit-workflows" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "audit-workflows-daily" GH_AW_WORKFLOW_ID: "audit-workflows" GH_AW_WORKFLOW_NAME: "Agentic Workflow Audit Agent" @@ -1455,8 +1454,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1482,9 +1479,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1501,6 +1498,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: auditworkflows steps: - name: Checkout actions folder @@ -1512,8 +1510,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1557,8 +1553,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1614,8 +1608,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 8d385f4e53..590527e85f 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,7 +92,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -111,18 +109,18 @@ jobs: GH_AW_WORKFLOW_FILE: "auto-triage-issues.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -137,15 +135,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, add_labels, missing_tool, missing_data, noop @@ -195,9 +193,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -214,10 +212,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -237,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -264,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: autotriageissues outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,14 +284,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -318,14 +316,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -334,21 +332,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"max":10},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Auto-Triage] \". Discussions will be created in category \"audits\".", @@ -508,7 +506,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -638,8 +636,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -650,7 +648,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -679,7 +677,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -714,7 +712,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -768,7 +766,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -806,15 +804,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -823,7 +821,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -840,9 +838,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -851,18 +849,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -937,9 +935,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -990,9 +988,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1037,6 +1035,8 @@ jobs: concurrency: group: "gh-aw-conclusion-auto-triage-issues" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1051,8 +1051,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1076,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1089,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1112,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1129,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1152,8 +1150,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1162,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check user rate limit id: check_rate_limit @@ -1177,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); safe_outputs: @@ -1195,6 +1191,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/auto-triage-issues" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "auto-triage-issues" GH_AW_WORKFLOW_NAME: "Auto-Triage Issues" outputs: @@ -1214,8 +1211,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1241,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index ef51afc6fd..4cf00024b5 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "blog-auditor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +124,16 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -259,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: blogauditor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,14 +278,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -312,9 +310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -322,7 +320,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -333,21 +331,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[audit] \". Discussions will be created in category \"audits\".", @@ -478,7 +476,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -589,8 +587,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -601,7 +599,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -630,7 +628,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -681,7 +679,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -841,15 +839,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -859,7 +857,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -876,9 +874,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -887,18 +885,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -971,9 +969,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1034,9 +1032,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1080,6 +1078,8 @@ jobs: concurrency: group: "gh-aw-conclusion-blog-auditor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1094,8 +1094,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1120,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1134,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1158,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1176,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1193,6 +1191,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/blog-auditor" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "blog-auditor-weekly" GH_AW_WORKFLOW_ID: "blog-auditor" GH_AW_WORKFLOW_NAME: "Blog Auditor" @@ -1213,8 +1212,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1240,9 +1237,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index 8d2d903dfa..bd64d8c8c5 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,11 +81,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "bot-detection.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_NUMBER: ${{ needs.precompute.outputs.issue_number }} GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_TITLE: ${{ needs.precompute.outputs.issue_title }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, update_issue, missing_tool, missing_data, noop @@ -186,9 +184,9 @@ jobs: GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_TITLE: ${{ needs.precompute.outputs.issue_title }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +206,10 @@ jobs: GH_AW_NEEDS_PRECOMPUTE_OUTPUTS_ISSUE_TITLE: ${{ needs.precompute.outputs.issue_title }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -267,10 +265,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: botdetection outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,14 +285,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -319,14 +317,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -335,21 +333,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"mentions":{"allowed":["pelikhan"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"security\" \"bot-detection\"] will be automatically added.", @@ -567,7 +565,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -739,8 +737,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -751,7 +749,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -780,7 +778,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -815,7 +813,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -852,7 +850,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -890,15 +888,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -908,7 +906,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -925,9 +923,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -936,18 +934,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -995,6 +993,8 @@ jobs: concurrency: group: "gh-aw-conclusion-bot-detection" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1009,8 +1009,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1034,9 +1032,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1047,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1069,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1086,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); precompute: @@ -1900,6 +1898,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/bot-detection" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "bot-detection" GH_AW_WORKFLOW_NAME: "Bot Detection" outputs: @@ -1921,8 +1920,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1948,9 +1945,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 77a9901dfe..2fced7a102 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +94,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -116,9 +114,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -126,18 +124,18 @@ jobs: GH_AW_WORKFLOW_FILE: "brave.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -155,15 +153,15 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -198,7 +196,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -220,9 +218,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -243,10 +241,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -270,11 +268,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -298,10 +296,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: brave outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -322,14 +318,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -352,14 +350,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -368,21 +366,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -516,7 +514,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -619,8 +617,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -631,7 +629,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -661,7 +659,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e BRAVE_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "brave-search": { @@ -706,7 +704,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -744,7 +742,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -782,15 +780,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'BRAVE_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -800,7 +798,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -818,9 +816,9 @@ jobs: GH_AW_COMMAND: brave with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -829,18 +827,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -915,9 +913,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -968,9 +966,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1015,6 +1013,8 @@ jobs: concurrency: group: "gh-aw-conclusion-brave" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1029,8 +1029,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1054,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1067,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1089,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1106,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1131,8 +1129,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1141,9 +1137,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1152,9 +1148,9 @@ jobs: GH_AW_COMMANDS: "[\"brave\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1170,6 +1166,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/brave" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦁 *Search results brought to you by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔄 *Maintenance report by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔍 Brave Search activated! [{workflow_name}]({run_url}) is venturing into the web on this {event_type}...\",\"runSuccess\":\"🦁 Mission accomplished! [{workflow_name}]({run_url}) has returned with the findings. Knowledge acquired! 🏆\",\"runFailure\":\"🔍 Search interrupted! [{workflow_name}]({run_url}) {status}. The web remains unexplored...\"}" GH_AW_WORKFLOW_ID: "brave" GH_AW_WORKFLOW_NAME: "Brave Web Search Agent" @@ -1192,8 +1189,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1219,9 +1214,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 9404c3fc57..9bac7821a7 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "breaking-change-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,15 +120,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -186,9 +184,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +203,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -257,10 +255,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: breakingchangechecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,14 +277,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -311,14 +309,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -327,21 +325,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned.", @@ -487,7 +485,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -605,8 +603,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -617,7 +615,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -646,7 +644,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -681,7 +679,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -739,7 +737,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -777,15 +775,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -794,7 +792,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -811,9 +809,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -822,18 +820,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -908,9 +906,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -961,9 +959,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1006,6 +1004,8 @@ jobs: concurrency: group: "gh-aw-conclusion-breaking-change-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1020,8 +1020,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1046,9 +1044,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1060,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1083,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1101,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1123,8 +1121,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1133,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1146,9 +1142,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1162,6 +1158,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/breaking-change-checker" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚠️ *Compatibility report by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🛠️ *Workflow maintenance by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔬 Breaking Change Checker online! [{workflow_name}]({run_url}) is analyzing API compatibility on this {event_type}...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has reviewed all changes. Compatibility verdict delivered! 📋\",\"runFailure\":\"🔬 Analysis interrupted! [{workflow_name}]({run_url}) {status}. Compatibility status unknown...\"}" GH_AW_TRACKER_ID: "breaking-change-checker" GH_AW_WORKFLOW_ID: "breaking-change-checker" @@ -1185,8 +1182,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1213,9 +1208,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1225,9 +1220,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 7c8aaefc20..e8014872df 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -81,8 +81,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,11 +102,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -130,9 +128,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -140,18 +138,18 @@ jobs: GH_AW_WORKFLOW_FILE: "changeset.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -168,20 +166,20 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -239,9 +237,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -260,10 +258,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -285,11 +283,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -312,10 +310,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: changeset outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -335,14 +331,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" @@ -368,9 +366,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -380,7 +378,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -389,21 +387,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1},"update_pull_request":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Update an existing GitHub pull request's title or body. Supports replacing, appending to, or prepending content to the body. Title is always replaced. Only the fields you specify will be updated; other fields remain unchanged. CONSTRAINTS: Maximum 1 pull request(s) can be updated.", @@ -582,7 +580,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -721,8 +719,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -733,7 +731,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -786,7 +784,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -820,7 +818,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -865,15 +863,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -884,7 +882,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -901,9 +899,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -912,18 +910,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -999,9 +997,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1015,9 +1013,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1060,6 +1058,8 @@ jobs: concurrency: group: "gh-aw-conclusion-changeset" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1074,8 +1074,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1099,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1112,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1135,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1152,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1178,8 +1176,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1188,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1207,6 +1203,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/changeset" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "changeset" GH_AW_WORKFLOW_NAME: "Changeset Generator" outputs: @@ -1228,8 +1225,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index f828144975..8c96b450c3 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +82,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "chroma-issue-indexer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,15 +120,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -177,9 +175,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -198,10 +196,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -247,6 +245,7 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: chromaissueindexer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -262,14 +261,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (chroma) run: | @@ -303,14 +304,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -319,10 +320,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/chroma + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/chroma - name: Start MCP Gateway id: start-mcp-gateway env: @@ -347,7 +348,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "chroma": { @@ -399,7 +400,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -435,7 +436,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -473,15 +474,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -491,7 +492,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -499,18 +500,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index ce2e40d549..5dfc50e547 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +85,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ci-coach.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,21 +120,21 @@ jobs: GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -195,9 +193,9 @@ jobs: GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -217,10 +215,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -243,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -274,10 +272,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cicoach outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -298,8 +294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -312,7 +306,11 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download CI workflow runs from last 7 days @@ -347,7 +345,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -377,14 +375,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -393,21 +391,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ci-coach] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ci-coach] \".", @@ -553,7 +551,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -674,8 +672,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -686,7 +684,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -715,7 +713,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -750,7 +748,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -788,7 +786,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -826,15 +824,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -843,7 +841,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -860,9 +858,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -871,18 +869,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -964,9 +962,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1017,9 +1015,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1064,6 +1062,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ci-coach" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1078,8 +1078,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1104,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1118,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1142,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1160,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1175,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1194,6 +1192,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ci-coach" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "ci-coach-daily" GH_AW_WORKFLOW_ID: "ci-coach" GH_AW_WORKFLOW_NAME: "CI Optimization Coach" @@ -1216,8 +1215,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1272,9 +1269,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1291,6 +1288,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cicoach steps: - name: Checkout actions folder @@ -1302,8 +1300,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 0273e22b7a..db841ade20 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -118,9 +116,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ci-doctor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -141,16 +139,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, missing_tool, missing_data, noop @@ -204,9 +202,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -232,10 +230,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -264,11 +262,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -294,10 +292,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cidoctor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -318,14 +314,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} REPO: ${{ github.repository }} @@ -335,7 +333,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -365,14 +363,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -381,21 +379,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[CI Failure Doctor] \". Labels [\"cookie\"] will be automatically added.", @@ -650,7 +648,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -840,8 +838,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -852,7 +850,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -881,7 +879,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -916,7 +914,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -953,7 +951,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -991,15 +989,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1009,7 +1007,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1026,9 +1024,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1037,18 +1035,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1129,9 +1127,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1181,9 +1179,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1229,6 +1227,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ci-doctor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1243,8 +1243,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1270,9 +1268,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1285,9 +1283,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1310,9 +1308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1329,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1352,8 +1350,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1362,9 +1358,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check stop-time limit id: check_stop_time @@ -1374,9 +1370,9 @@ jobs: GH_AW_WORKFLOW_NAME: "CI Failure Doctor" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1393,6 +1389,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ci-doctor" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🩺 *Diagnosis provided by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏥 CI Doctor reporting for duty! [{workflow_name}]({run_url}) is examining the patient on this {event_type}...\",\"runSuccess\":\"🩺 Examination complete! [{workflow_name}]({run_url}) has delivered the diagnosis. Prescription issued! 💊\",\"runFailure\":\"🏥 Medical emergency! [{workflow_name}]({run_url}) {status}. Doctor needs assistance...\"}" GH_AW_WORKFLOW_ID: "ci-doctor" GH_AW_WORKFLOW_NAME: "CI Failure Doctor" @@ -1419,8 +1416,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1446,9 +1441,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1465,6 +1460,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cidoctor steps: - name: Checkout actions folder @@ -1476,8 +1472,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 3ac1100c9f..732170a18b 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "claude-code-user-docs-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -187,9 +185,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +231,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -264,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: claudecodeuserdocsreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,17 +283,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -327,9 +325,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -337,7 +335,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -348,21 +346,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -493,7 +491,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -604,8 +602,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -616,7 +614,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -644,7 +642,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -678,7 +676,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -802,15 +800,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -820,7 +818,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -837,9 +835,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -848,18 +846,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -938,9 +936,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1001,9 +999,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1048,6 +1046,8 @@ jobs: concurrency: group: "gh-aw-conclusion-claude-code-user-docs-review" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1062,8 +1062,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1088,9 +1086,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1102,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1126,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1144,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1161,6 +1159,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/claude-code-user-docs-review" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "claude-code-user-docs-review" GH_AW_WORKFLOW_ID: "claude-code-user-docs-review" GH_AW_WORKFLOW_NAME: "Claude Code User Documentation Review" @@ -1181,8 +1180,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1208,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1227,6 +1224,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: claudecodeuserdocsreview steps: - name: Checkout actions folder @@ -1238,8 +1236,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index d939a3a520..a6528c7b3e 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -57,8 +57,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,7 +78,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -97,9 +95,9 @@ jobs: GH_AW_WORKFLOW_FILE: "cli-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -114,15 +112,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -171,9 +169,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -189,10 +187,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -211,11 +209,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -242,10 +240,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cliconsistencychecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -266,14 +262,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -296,14 +294,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -312,21 +310,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[cli-consistency] \". Labels [\"automation\" \"cli\" \"documentation\" \"cookie\"] will be automatically added.", @@ -472,7 +470,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -590,8 +588,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -602,7 +600,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -631,7 +629,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -666,7 +664,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -704,7 +702,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -742,15 +740,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -759,7 +757,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -776,9 +774,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -787,18 +785,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -873,9 +871,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -926,9 +924,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -971,6 +969,8 @@ jobs: concurrency: group: "gh-aw-conclusion-cli-consistency-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -985,8 +985,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1010,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1023,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1044,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1061,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1077,6 +1075,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cli-consistency-checker" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "cli-consistency-checker" GH_AW_WORKFLOW_NAME: "CLI Consistency Checker" outputs: @@ -1098,8 +1097,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1125,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 1bbaedcf31..9ea4bbf83a 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "cli-version-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +124,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -190,9 +188,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -265,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cliversionchecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,20 +284,22 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -331,9 +329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -341,7 +339,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -352,21 +350,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ca] \". Labels [\"automation\" \"dependencies\" \"cookie\"] will be automatically added.", @@ -512,7 +510,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -630,8 +628,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -642,7 +640,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -670,7 +668,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -704,7 +702,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -829,15 +827,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -847,7 +845,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -864,9 +862,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -875,18 +873,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -965,9 +963,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1028,9 +1026,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1074,6 +1072,8 @@ jobs: concurrency: group: "gh-aw-conclusion-cli-version-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1088,8 +1088,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1113,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1126,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1147,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1164,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1180,6 +1178,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cli-version-checker" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "cli-version-checker" GH_AW_WORKFLOW_NAME: "CLI Version Checker" outputs: @@ -1201,8 +1200,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1228,9 +1225,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1247,6 +1244,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cliversionchecker steps: - name: Checkout actions folder @@ -1258,8 +1256,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 890a9b1120..1b5a9303d1 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -111,8 +111,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -134,11 +132,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -159,9 +157,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -169,18 +167,18 @@ jobs: GH_AW_WORKFLOW_FILE: "cloclo.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -201,22 +199,22 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -249,7 +247,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -280,9 +278,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -309,10 +307,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -342,11 +340,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -371,10 +369,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cloclo outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -394,8 +390,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -431,13 +425,17 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -467,9 +465,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -477,7 +475,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -488,10 +486,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -506,27 +504,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[cloclo] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -709,7 +707,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -848,8 +846,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -860,7 +858,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -890,7 +888,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -968,7 +966,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1136,15 +1134,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1154,7 +1152,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1172,9 +1170,9 @@ jobs: GH_AW_COMMAND: cloclo with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1183,18 +1181,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1274,9 +1272,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1337,9 +1335,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1385,6 +1383,8 @@ jobs: concurrency: group: "gh-aw-conclusion-cloclo" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1399,8 +1399,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1424,9 +1422,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1437,9 +1435,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1461,9 +1459,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1478,9 +1476,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1492,9 +1490,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1530,8 +1528,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1540,9 +1536,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1551,9 +1547,9 @@ jobs: GH_AW_COMMANDS: "[\"cloclo\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1571,6 +1567,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cloclo" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎤 *Magnifique! Performance by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎵 Comme d'habitude! [{workflow_name}]({run_url}) takes the stage on this {event_type}...\",\"runSuccess\":\"🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟\",\"runFailure\":\"🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!\"}" GH_AW_WORKFLOW_ID: "cloclo" GH_AW_WORKFLOW_NAME: "/cloclo" @@ -1595,8 +1592,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1651,9 +1646,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1670,6 +1665,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: cloclo steps: - name: Checkout actions folder @@ -1681,8 +1677,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index a931a29de6..fb1a93ab60 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "code-scanning-fixer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,22 +117,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, add_labels, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -182,9 +180,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -262,10 +260,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: codescanningfixer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,17 +282,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -313,7 +311,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,14 +334,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -353,21 +351,21 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_labels":{"allowed":["agentic-campaign","z_campaign_security-alert-burndown"],"max":3},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[code-scanning-fix] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/campaigns","id":"campaigns","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[code-scanning-fix] \". Labels [\"security\" \"automated-fix\" \"agentic-campaign\" \"z_campaign_security-alert-burndown\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -557,7 +555,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_labels": { "defaultMax": 5, @@ -697,8 +695,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -709,7 +707,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -738,7 +736,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -773,7 +771,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -811,7 +809,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -849,15 +847,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -866,7 +864,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -883,9 +881,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -894,18 +892,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -996,9 +994,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1049,9 +1047,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1097,6 +1095,8 @@ jobs: concurrency: group: "gh-aw-conclusion-code-scanning-fixer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1111,8 +1111,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1136,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1149,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1176,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1193,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1207,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1229,8 +1227,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1239,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1252,9 +1248,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); push_repo_memory: @@ -1266,6 +1262,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.patch_size_exceeded }} validation_error_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_error }} @@ -1280,8 +1278,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1324,9 +1320,9 @@ jobs: FILE_GLOB_FILTER: "security-alert-burndown/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1343,6 +1339,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/code-scanning-fixer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "code-scanning-fixer" GH_AW_WORKFLOW_NAME: "Code Scanning Fixer" outputs: @@ -1364,8 +1361,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1420,9 +1415,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1439,6 +1434,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: codescanningfixer steps: - name: Checkout actions folder @@ -1450,8 +1446,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 6d4d0b0fff..c837e6df9a 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -112,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "code-simplifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,20 +127,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -195,9 +193,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -214,10 +212,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -237,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -266,10 +264,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: codesimplifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -290,14 +286,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -320,14 +318,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -336,21 +334,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[code-simplifier] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[code-simplifier] \". Labels [\"refactoring\" \"code-quality\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -496,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -617,8 +615,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -629,7 +627,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -658,7 +656,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -693,7 +691,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -730,7 +728,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -768,15 +766,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -786,7 +784,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -803,9 +801,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -814,18 +812,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -901,9 +899,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -953,9 +951,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -999,6 +997,8 @@ jobs: concurrency: group: "gh-aw-conclusion-code-simplifier" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1013,8 +1013,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1039,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1053,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1078,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1096,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1111,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1133,8 +1131,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1143,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1156,9 +1152,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1175,6 +1171,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/code-simplifier" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "code-simplifier" GH_AW_WORKFLOW_ID: "code-simplifier" GH_AW_WORKFLOW_NAME: "Code Simplifier" @@ -1197,8 +1194,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1253,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 6f0cbcbf0f..b3c9f60809 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -56,8 +56,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,11 +77,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "codex-github-remote-mcp-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,14 +116,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -170,9 +168,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -188,10 +186,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -210,11 +208,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -232,6 +230,7 @@ jobs: contents: read issues: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: codexgithubremotemcptest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -246,14 +245,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -276,9 +277,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -288,7 +289,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -297,10 +298,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -341,7 +342,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -369,7 +370,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -413,15 +414,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -432,7 +433,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -440,18 +441,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 2fe8a9f595..28a58865ea 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "commit-changes-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -231,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -258,10 +256,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: commitchangesanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,14 +277,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -311,9 +309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -321,7 +319,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -332,21 +330,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\".", @@ -477,7 +475,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -588,8 +586,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -600,7 +598,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -628,7 +626,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -662,7 +660,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -783,15 +781,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -801,7 +799,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -818,9 +816,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -829,18 +827,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -913,9 +911,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -976,9 +974,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1022,6 +1020,8 @@ jobs: concurrency: group: "gh-aw-conclusion-commit-changes-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1036,8 +1036,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1061,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1074,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1097,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1114,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1131,6 +1129,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/commit-changes-analyzer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "commit-changes-analyzer" GH_AW_WORKFLOW_NAME: "Commit Changes Analyzer" outputs: @@ -1150,8 +1149,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1177,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 87fcb8bc31..e8e7932b8b 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +79,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "constraint-solving-potd.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +118,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -176,9 +174,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -197,10 +195,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -250,10 +248,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: constraintsolvingpotd outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -273,17 +269,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -304,9 +302,9 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -315,21 +313,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"max_bot_mentions":1,"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"🧩 Constraint Solving POTD:\". Discussions will be created in category \"announcements\".", @@ -460,7 +458,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -571,8 +569,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -583,7 +581,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -612,7 +610,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -647,7 +645,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -684,7 +682,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -722,15 +720,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -740,7 +738,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -758,9 +756,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -769,18 +767,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -861,9 +859,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -913,9 +911,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -960,6 +958,8 @@ jobs: concurrency: group: "gh-aw-conclusion-constraint-solving-potd" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -974,8 +974,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -999,9 +997,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1012,9 +1010,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1035,9 +1033,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1052,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1069,6 +1067,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/constraint-solving-potd" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "constraint-solving-potd" GH_AW_WORKFLOW_NAME: "Constraint Solving — Problem of the Day" outputs: @@ -1088,8 +1087,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1115,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1134,6 +1131,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: constraintsolvingpotd steps: - name: Checkout actions folder @@ -1145,8 +1143,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index b603c45965..75b8d39563 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +82,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "contribution-check.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +122,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -181,9 +179,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -252,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: contributioncheck outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,14 +272,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -306,27 +304,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":10,"target":"*","target-repo":"${{ vars.TARGET_REPOSITORY }}"},"add_labels":{"allowed":["spam","needs-work","outdated","lgtm"],"max":4,"target":"*","target-repo":"${{ vars.TARGET_REPOSITORY }}"},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[Contribution Check Report]\". Labels [\"contribution-report\"] will be automatically added.", @@ -538,7 +536,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -693,8 +691,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -705,7 +703,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -733,7 +731,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -767,7 +765,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -804,7 +802,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -842,15 +840,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -860,7 +858,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -877,9 +875,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -888,18 +886,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -974,9 +972,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1026,9 +1024,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1073,6 +1071,8 @@ jobs: concurrency: group: "gh-aw-conclusion-contribution-check" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1087,8 +1087,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1112,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1125,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1147,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1164,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1182,6 +1180,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/contribution-check" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "contribution-check" GH_AW_WORKFLOW_NAME: "Contribution Check" outputs: @@ -1205,8 +1204,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1232,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 583c4e045e..e6d9fa2f80 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -111,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-agent-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,17 +127,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -199,9 +197,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -226,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -257,11 +255,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -287,10 +285,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotagentanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -310,14 +306,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -328,7 +326,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -345,7 +343,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -368,9 +366,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -378,7 +376,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -389,21 +387,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-agent-analysis] \". Discussions will be created in category \"audits\".", @@ -549,7 +547,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -660,8 +658,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -672,7 +670,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -700,7 +698,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -734,7 +732,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -858,15 +856,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -876,7 +874,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -893,9 +891,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -904,18 +902,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1003,9 +1001,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1066,9 +1064,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1114,6 +1112,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-agent-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1128,8 +1128,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,9 +1151,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1166,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1193,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1210,9 +1208,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1224,6 +1222,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1238,8 +1238,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1282,9 +1280,9 @@ jobs: FILE_GLOB_FILTER: "memory/copilot-agent-analysis/*.json memory/copilot-agent-analysis/*.jsonl memory/copilot-agent-analysis/*.csv memory/copilot-agent-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1299,6 +1297,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-agent-analysis" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-agent-analysis" GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" outputs: @@ -1318,8 +1317,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1345,9 +1342,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1364,6 +1361,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotagentanalysis steps: - name: Checkout actions folder @@ -1375,8 +1373,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 201a28845d..63a2b40cca 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-cli-deep-research.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +118,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -182,9 +180,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -266,10 +264,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotclideepresearch outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -290,14 +286,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -307,7 +305,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -330,14 +328,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -346,21 +344,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":204800,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-cli-research] \". Discussions will be created in category \"research\".", @@ -506,7 +504,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -617,8 +615,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -629,7 +627,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -658,7 +656,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -693,7 +691,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -753,7 +751,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -791,15 +789,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -808,7 +806,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -825,9 +823,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -836,18 +834,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -931,9 +929,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -984,9 +982,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1031,6 +1029,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-cli-deep-research" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1045,8 +1045,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1070,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1083,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1110,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1127,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1141,6 +1139,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1155,8 +1155,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1199,9 +1197,9 @@ jobs: FILE_GLOB_FILTER: "memory/copilot-cli-research/*.json memory/copilot-cli-research/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1216,6 +1214,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-cli-deep-research" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-cli-deep-research" GH_AW_WORKFLOW_NAME: "Copilot CLI Deep Research Agent" outputs: @@ -1235,8 +1234,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1262,9 +1259,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 7d63603f2b..f4f302f782 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-merged-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,16 +120,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -195,9 +193,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -216,10 +214,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -241,11 +239,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -272,10 +270,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprmergedreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -296,14 +292,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -314,7 +312,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -344,14 +342,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -360,21 +358,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-pr-merged-report] \". Discussions will be created in category \"audits\".", @@ -505,7 +503,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -616,8 +614,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -628,16 +626,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -664,7 +662,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -673,17 +671,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -695,7 +693,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -729,7 +727,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -762,7 +760,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -804,7 +802,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -844,7 +842,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -882,15 +880,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -899,7 +897,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -916,9 +914,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -927,27 +925,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1029,9 +1027,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1082,9 +1080,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1129,6 +1127,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-pr-merged-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1143,8 +1143,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1168,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1181,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1204,9 +1202,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1221,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1238,6 +1236,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-merged-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-pr-merged-report" GH_AW_WORKFLOW_NAME: "Daily Copilot PR Merged Report" outputs: @@ -1257,8 +1256,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1281,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1303,6 +1300,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotprmergedreport steps: - name: Checkout actions folder @@ -1314,8 +1312,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index a5e22a5f9a..fd30541519 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-nlp-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,17 +121,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -199,9 +197,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -226,10 +224,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -257,11 +255,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -288,10 +286,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprnlpanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -312,14 +308,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -359,7 +357,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -376,7 +374,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -399,14 +397,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -415,21 +413,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nlp-analysis] \". Discussions will be created in category \"audits\".", @@ -600,7 +598,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -720,8 +718,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -732,7 +730,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -764,7 +762,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -799,7 +797,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -840,7 +838,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -878,15 +876,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -895,7 +893,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -912,9 +910,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -923,18 +921,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1033,9 +1031,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1086,9 +1084,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1135,6 +1133,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-pr-nlp-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1149,8 +1149,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1187,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1214,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1231,9 +1229,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1245,6 +1243,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1259,8 +1259,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1303,9 +1301,9 @@ jobs: FILE_GLOB_FILTER: "memory/nlp-analysis/*.json memory/nlp-analysis/*.jsonl memory/nlp-analysis/*.csv memory/nlp-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1320,6 +1318,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-nlp-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-pr-nlp-analysis" GH_AW_WORKFLOW_NAME: "Copilot PR Conversation NLP Analysis" outputs: @@ -1339,8 +1338,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1366,9 +1363,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1385,6 +1382,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotprnlpanalysis steps: - name: Checkout actions folder @@ -1396,8 +1394,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1441,8 +1437,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1497,8 +1491,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 17d4825d3e..b72750bab8 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-pr-prompt-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,17 +121,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -194,9 +192,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -221,10 +219,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -252,11 +250,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprpromptanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -307,14 +303,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -325,7 +323,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -342,7 +340,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -365,14 +363,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -381,21 +379,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-analysis] \". Discussions will be created in category \"audits\".", @@ -541,7 +539,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -652,8 +650,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -664,7 +662,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -693,7 +691,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -728,7 +726,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -766,7 +764,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -804,15 +802,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -821,7 +819,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -838,9 +836,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -849,18 +847,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -950,9 +948,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1003,9 +1001,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1051,6 +1049,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-pr-prompt-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1065,8 +1065,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1090,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1103,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1130,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1147,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1161,6 +1159,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1175,8 +1175,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1219,9 +1217,9 @@ jobs: FILE_GLOB_FILTER: "memory/prompt-analysis/*.json memory/prompt-analysis/*.jsonl memory/prompt-analysis/*.csv memory/prompt-analysis/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1236,6 +1234,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-prompt-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-pr-prompt-analysis" GH_AW_WORKFLOW_NAME: "Copilot PR Prompt Pattern Analysis" outputs: @@ -1255,8 +1254,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1282,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1301,6 +1298,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotprpromptanalysis steps: - name: Checkout actions folder @@ -1312,8 +1310,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 98c5dd3428..4a197508f3 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -113,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "copilot-session-insights.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,17 +130,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -212,9 +210,9 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -240,10 +238,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -272,11 +270,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -302,10 +300,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotsessioninsights outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -325,14 +321,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -365,7 +363,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -382,7 +380,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -405,9 +403,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -415,7 +413,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -426,21 +424,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-session-insights] \". Discussions will be created in category \"audits\".", @@ -611,7 +609,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -731,8 +729,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -743,7 +741,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -774,7 +772,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -808,7 +806,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -935,15 +933,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -953,7 +951,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -970,9 +968,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -981,18 +979,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1089,9 +1087,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1152,9 +1150,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1201,6 +1199,8 @@ jobs: concurrency: group: "gh-aw-conclusion-copilot-session-insights" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1215,8 +1215,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1240,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1253,9 +1251,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1280,9 +1278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1297,9 +1295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1311,6 +1309,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1325,8 +1325,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1369,9 +1367,9 @@ jobs: FILE_GLOB_FILTER: "memory/session-insights/*.json memory/session-insights/*.jsonl memory/session-insights/*.csv memory/session-insights/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1386,6 +1384,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-session-insights" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "copilot-session-insights" GH_AW_WORKFLOW_NAME: "Copilot Session Insights" outputs: @@ -1405,8 +1404,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1432,9 +1429,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1451,6 +1448,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: copilotsessioninsights steps: - name: Checkout actions folder @@ -1462,8 +1460,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1507,8 +1503,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1563,8 +1557,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 911fecacae..d458d94a83 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -70,8 +70,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +91,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -113,9 +111,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -123,18 +121,18 @@ jobs: GH_AW_WORKFLOW_FILE: "craft.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -151,20 +149,20 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -197,7 +195,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -215,9 +213,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -237,10 +235,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -263,11 +261,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -291,10 +289,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: craft outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -315,14 +311,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install gh-aw extension run: |- gh extension remove gh-aw || true @@ -350,14 +348,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -366,21 +364,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -550,7 +548,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -673,8 +671,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -685,7 +683,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -714,7 +712,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -749,7 +747,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -787,7 +785,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -825,15 +823,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -842,7 +840,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -860,9 +858,9 @@ jobs: GH_AW_COMMAND: craft with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -871,18 +869,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -958,9 +956,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1011,9 +1009,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1058,6 +1056,8 @@ jobs: concurrency: group: "gh-aw-conclusion-craft" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1072,8 +1072,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1097,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1110,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1134,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1151,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1175,8 +1173,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1185,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1196,9 +1192,9 @@ jobs: GH_AW_COMMANDS: "[\"craft\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1216,6 +1212,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/craft" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚒️ *Crafted with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🛠️ Master Crafter at work! [{workflow_name}]({run_url}) is forging a new workflow on this {event_type}...\",\"runSuccess\":\"⚒️ Masterpiece complete! [{workflow_name}]({run_url}) has crafted your workflow. May it serve you well! 🎖️\",\"runFailure\":\"🛠️ Forge cooling down! [{workflow_name}]({run_url}) {status}. The anvil awaits another attempt...\"}" GH_AW_WORKFLOW_ID: "craft" GH_AW_WORKFLOW_NAME: "Workflow Craft Agent" @@ -1240,8 +1237,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1296,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index fe2ab99241..d85df02eaf 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-architecture-diagram.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,21 +117,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -181,9 +179,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -227,11 +225,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -257,10 +255,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyarchitecturediagram outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,17 +277,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -321,14 +319,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -337,21 +335,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"create_pull_request":{"expires":168,"max":1,"title_prefix":"[architecture] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"🏗️ Architecture Diagram:\". Labels [\"architecture\" \"diagram\"] will be automatically added.", @@ -546,7 +544,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -700,8 +698,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -712,7 +710,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -741,7 +739,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -776,7 +774,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -814,7 +812,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -852,15 +850,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -869,7 +867,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -886,9 +884,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -897,18 +895,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -990,9 +988,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1043,9 +1041,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1090,6 +1088,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-architecture-diagram" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1104,8 +1104,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1142,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1165,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1182,9 +1180,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1196,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1215,6 +1213,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-architecture-diagram" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-architecture-diagram" GH_AW_WORKFLOW_NAME: "Architecture Diagram Generator" outputs: @@ -1238,8 +1237,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1294,9 +1291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1313,6 +1310,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyarchitecturediagram steps: - name: Checkout actions folder @@ -1324,8 +1322,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 452c6d5682..f83bd55f7f 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -57,8 +57,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,7 +78,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -97,9 +95,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-assign-issue-to-user.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -114,15 +112,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_user, missing_tool, missing_data, noop @@ -169,9 +167,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -187,10 +185,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -209,11 +207,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -239,10 +237,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyassignissuetouser outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -263,14 +259,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -293,14 +291,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -309,21 +307,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"*"},"assign_to_user":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *.", @@ -496,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -621,8 +619,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -633,7 +631,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -662,7 +660,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -697,7 +695,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -735,7 +733,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -773,15 +771,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -790,7 +788,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -807,9 +805,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -818,18 +816,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -904,9 +902,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -957,9 +955,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1004,6 +1002,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-assign-issue-to-user" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1018,8 +1018,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1043,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1056,9 +1054,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1077,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1094,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1112,6 +1110,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-assign-issue-to-user" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-assign-issue-to-user" GH_AW_WORKFLOW_NAME: "Auto-Assign Issue" outputs: @@ -1134,8 +1133,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1161,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index ae90e45736..5badc950d0 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,11 +79,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-choice-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,15 +118,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: missing_tool, missing_data, noop @@ -175,9 +173,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -193,10 +191,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -215,11 +213,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -244,10 +242,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailychoicetest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -267,14 +263,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -297,9 +295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -307,7 +305,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -318,21 +316,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"test_environment":{"description":"A test job with choice input","inputs":{"environment":{"default":null,"description":"Target environment","options":["staging","production"],"required":true,"type":"choice"},"test_type":{"default":null,"description":"Type of test to run","options":["smoke","integration","e2e"],"required":true,"type":"choice"}},"output":"Environment test completed successfully"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -460,7 +458,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -545,8 +543,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -557,7 +555,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -585,7 +583,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -619,7 +617,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -740,15 +738,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -758,7 +756,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -775,9 +773,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -786,18 +784,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -870,9 +868,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -933,9 +931,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -976,6 +974,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-choice-test" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -990,8 +990,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1016,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1030,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1052,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1070,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1083,6 +1081,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-choice-test" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUTS_STAGED: "true" GH_AW_TRACKER_ID: "daily-choice-test" GH_AW_WORKFLOW_ID: "daily-choice-test" @@ -1104,8 +1103,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1132,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); test_environment: @@ -1149,11 +1146,11 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: agent - path: /opt/gh-aw/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${{ env.GH_AW_HOME }}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${{ env.GH_AW_HOME }}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Display test configuration run: |- if [ -f "$GH_AW_AGENT_OUTPUT" ]; then diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 037e7a3227..12896d63ea 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +84,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-cli-performance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,16 +120,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, missing_tool, missing_data, noop @@ -187,9 +185,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +210,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -241,11 +239,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -271,10 +269,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycliperformance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -295,14 +291,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -312,7 +310,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -335,14 +333,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -351,21 +349,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":5},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":512000,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[performance] \". Labels [\"performance\" \"automation\" \"cookie\"] will be automatically added.", @@ -563,7 +561,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -699,8 +697,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -711,16 +709,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "go", @@ -761,7 +759,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -770,17 +768,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -792,8 +790,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -804,7 +802,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -836,7 +834,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -867,7 +865,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -909,7 +907,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -947,7 +945,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -985,15 +983,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1002,7 +1000,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1019,9 +1017,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1030,27 +1028,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1135,9 +1133,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1188,9 +1186,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1236,6 +1234,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-cli-performance" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1250,8 +1250,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1276,9 +1274,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1290,9 +1288,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1316,9 +1314,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1334,9 +1332,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1348,6 +1346,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1362,8 +1362,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1406,9 +1404,9 @@ jobs: FILE_GLOB_FILTER: "memory/cli-performance/*.json memory/cli-performance/*.jsonl memory/cli-performance/*.txt" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1424,6 +1422,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-cli-performance" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-cli-performance" GH_AW_WORKFLOW_ID: "daily-cli-performance" GH_AW_WORKFLOW_NAME: "Daily CLI Performance Agent" @@ -1448,8 +1447,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1475,9 +1472,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index cd646b08c1..197cf8002d 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-cli-tools-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -225,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -255,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyclitoolstester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,8 +275,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -316,7 +310,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -339,14 +337,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -355,10 +353,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -373,27 +371,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[cli-tools-test] \". Labels [\"testing\" \"automation\" \"cli-tools\"] will be automatically added.", @@ -539,7 +537,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -657,8 +655,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -669,7 +667,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -699,7 +697,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -746,7 +744,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -783,7 +781,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -821,15 +819,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -839,7 +837,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -856,9 +854,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -867,18 +865,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -953,9 +951,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1005,9 +1003,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1050,6 +1048,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-cli-tools-tester" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1064,8 +1064,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1089,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1102,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1124,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1141,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1157,6 +1155,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-cli-tools-tester" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-cli-tools-tester" GH_AW_WORKFLOW_NAME: "Daily CLI Tools Exploratory Tester" outputs: @@ -1178,8 +1177,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1205,9 +1202,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index c3c13ea9d4..c6e8d5d338 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-code-metrics.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,17 +126,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -196,9 +194,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -223,10 +221,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -254,11 +252,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycodemetrics outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,14 +302,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -339,7 +337,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -356,7 +354,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -379,9 +377,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -389,7 +387,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -400,21 +398,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -585,7 +583,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -705,8 +703,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -717,7 +715,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -748,7 +746,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -782,7 +780,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -909,15 +907,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -927,7 +925,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -944,9 +942,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -955,18 +953,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1063,9 +1061,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1126,9 +1124,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1175,6 +1173,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-code-metrics" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1189,8 +1189,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1215,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1229,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1257,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1275,9 +1273,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1289,6 +1287,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1303,8 +1303,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1347,9 +1345,9 @@ jobs: FILE_GLOB_FILTER: "*.json *.jsonl *.csv *.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1364,6 +1362,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-code-metrics" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-code-metrics" GH_AW_WORKFLOW_ID: "daily-code-metrics" GH_AW_WORKFLOW_NAME: "Daily Code Metrics and Trend Tracking Agent" @@ -1384,8 +1383,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1411,9 +1408,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1430,6 +1427,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailycodemetrics steps: - name: Checkout actions folder @@ -1441,8 +1439,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1486,8 +1482,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1543,8 +1537,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 4cd1048369..c0a4c7512c 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +84,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-compiler-quality.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +118,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -184,9 +182,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -260,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycompilerquality outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,17 +280,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -324,14 +322,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -340,21 +338,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -485,7 +483,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -596,8 +594,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -608,7 +606,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -637,7 +635,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -680,7 +678,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -739,7 +737,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -777,15 +775,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -794,7 +792,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -811,9 +809,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -822,18 +820,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -914,9 +912,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -967,9 +965,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1014,6 +1012,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-compiler-quality" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1028,8 +1028,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1054,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1068,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1092,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1110,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1127,6 +1125,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-compiler-quality" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-compiler-quality" GH_AW_WORKFLOW_ID: "daily-compiler-quality" GH_AW_WORKFLOW_NAME: "Daily Compiler Quality Check" @@ -1147,8 +1146,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1193,6 +1190,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailycompilerquality steps: - name: Checkout actions folder @@ -1204,8 +1202,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index e4e830ecf3..bfbd40025f 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +84,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-copilot-token-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,17 +119,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -187,9 +185,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -214,10 +212,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -245,11 +243,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -276,10 +274,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycopilottokenreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -300,10 +296,12 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Go @@ -367,7 +365,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -384,7 +382,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -407,14 +405,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -423,21 +421,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -608,7 +606,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -728,8 +726,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -740,7 +738,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -772,7 +770,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -807,7 +805,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -848,7 +846,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -886,15 +884,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -903,7 +901,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -920,9 +918,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -931,18 +929,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1041,9 +1039,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1094,9 +1092,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1143,6 +1141,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-copilot-token-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1157,8 +1157,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1183,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1197,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1225,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1243,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1257,6 +1255,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1271,8 +1271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1315,9 +1313,9 @@ jobs: FILE_GLOB_FILTER: "memory/token-metrics/*.json memory/token-metrics/*.jsonl memory/token-metrics/*.csv memory/token-metrics/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1332,6 +1330,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-copilot-token-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-copilot-token-report" GH_AW_WORKFLOW_ID: "daily-copilot-token-report" GH_AW_WORKFLOW_NAME: "Daily Copilot Token Consumption Report" @@ -1352,8 +1351,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1379,9 +1376,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1398,6 +1395,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailycopilottokenreport steps: - name: Checkout actions folder @@ -1409,8 +1407,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1454,8 +1450,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1511,8 +1505,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 8a3d59262c..45b227a9de 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-doc-healer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,21 +124,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -192,9 +190,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -213,10 +211,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -238,11 +236,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -267,10 +265,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailydochealer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -290,8 +286,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -302,7 +296,11 @@ jobs: node-version: '24' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install QMD run: npm install -g @tobilu/qmd - name: Restore QMD index cache @@ -317,7 +315,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -347,9 +345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -357,7 +355,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -368,21 +366,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":72,"max":1},"create_pull_request":{"expires":72,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[doc-healer] \". Labels [\"documentation\" \"automation\"] will be automatically added. Assignees [\"copilot\"] will be automatically assigned.", @@ -577,7 +575,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -731,8 +729,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -743,16 +741,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -780,7 +778,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -789,17 +787,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -811,7 +809,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -843,7 +841,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -873,7 +871,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -914,7 +912,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1063,15 +1061,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1081,7 +1079,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1098,9 +1096,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1109,27 +1107,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1210,9 +1208,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1273,9 +1271,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1320,6 +1318,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-doc-healer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1334,8 +1334,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1360,9 +1358,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1374,9 +1372,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1398,9 +1396,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1416,9 +1414,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1431,9 +1429,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1450,6 +1448,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-doc-healer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-doc-healer" GH_AW_WORKFLOW_ID: "daily-doc-healer" GH_AW_WORKFLOW_NAME: "Daily Documentation Healer" @@ -1474,8 +1473,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1531,9 +1528,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1543,9 +1540,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1562,6 +1559,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailydochealer steps: - name: Checkout actions folder @@ -1573,8 +1571,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 16d1e59ee2..985dcf4516 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-doc-updater.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,21 +123,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -263,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailydocupdater outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,8 +282,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -298,7 +292,11 @@ jobs: node-version: '24' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install QMD run: npm install -g @tobilu/qmd - name: Restore QMD index cache @@ -313,7 +311,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -343,9 +341,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -353,7 +351,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -364,21 +362,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"auto_merge":true,"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -524,7 +522,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -645,8 +643,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -657,16 +655,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -694,7 +692,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -703,17 +701,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -725,7 +723,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -757,7 +755,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -787,7 +785,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -828,7 +826,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -978,15 +976,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -996,7 +994,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1013,9 +1011,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1024,27 +1022,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1125,9 +1123,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1188,9 +1186,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1235,6 +1233,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-doc-updater" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1249,8 +1249,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,9 +1273,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1289,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1313,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1331,9 +1329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1346,9 +1344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1365,6 +1363,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-doc-updater" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-doc-updater" GH_AW_WORKFLOW_ID: "daily-doc-updater" GH_AW_WORKFLOW_NAME: "Daily Documentation Updater" @@ -1387,8 +1386,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1443,9 +1440,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1462,6 +1459,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailydocupdater steps: - name: Checkout actions folder @@ -1473,8 +1471,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index b7e47024bd..2139cb5a3b 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -51,8 +51,6 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -74,11 +72,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -88,9 +86,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-fact.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -105,15 +103,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -161,9 +159,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -179,10 +177,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -201,11 +199,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -232,10 +230,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfact outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -248,14 +244,16 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -278,9 +276,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -290,7 +288,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -299,21 +297,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"4750"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: 4750.", @@ -447,7 +445,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -550,8 +548,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -562,7 +560,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -615,7 +613,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -649,7 +647,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -694,15 +692,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -713,7 +711,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -730,9 +728,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -741,18 +739,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -827,9 +825,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -866,9 +864,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -913,6 +911,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-fact" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -920,8 +920,6 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -946,9 +944,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -960,9 +958,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -983,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1001,9 +999,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1020,6 +1018,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-fact" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Penned with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 Hark! The muse awakens — [{workflow_name}]({run_url}) begins its verse upon this {event_type}...\",\"runSuccess\":\"✨ Lo! [{workflow_name}]({run_url}) hath woven its tale to completion, like a sonnet finding its final rhyme. 🌟\",\"runFailure\":\"🌧️ Alas! [{workflow_name}]({run_url}) {status}, its quill fallen mid-verse. The poem remains unfinished...\"}" GH_AW_TRACKER_ID: "daily-fact-thread" GH_AW_WORKFLOW_ID: "daily-fact" @@ -1036,8 +1035,6 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1063,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index af2f611797..7dfff0a8cd 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +88,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -107,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-file-diet.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +122,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -193,9 +191,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +210,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +233,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -265,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfilediet outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,14 +285,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -319,14 +317,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -335,21 +333,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[file-diet] \". Labels [\"refactoring\" \"code-health\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -495,7 +493,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -613,8 +611,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -625,7 +623,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -654,7 +652,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -697,7 +695,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -757,7 +755,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -795,15 +793,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -812,7 +810,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -829,9 +827,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -840,18 +838,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -926,9 +924,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -979,9 +977,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1024,6 +1022,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-file-diet" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1038,8 +1038,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1064,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1078,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1100,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1118,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1140,8 +1138,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1150,9 +1146,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1163,9 +1159,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1179,6 +1175,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-file-diet" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-file-diet" GH_AW_WORKFLOW_ID: "daily-file-diet" GH_AW_WORKFLOW_NAME: "Daily File Diet" @@ -1201,8 +1198,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1228,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 88de42e3ed..e8b1eb66ae 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-firewall-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +124,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -190,9 +188,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -268,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfirewallreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,8 +288,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -329,7 +323,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: | mkdir -p /tmp/gh-aw/python/{data,charts,artifacts} @@ -355,7 +353,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -385,14 +383,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -401,10 +399,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -419,27 +417,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -595,7 +593,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -715,8 +713,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -727,7 +725,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -760,7 +758,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -807,7 +805,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -847,7 +845,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -885,15 +883,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -903,7 +901,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -920,9 +918,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -931,18 +929,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1032,9 +1030,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1084,9 +1082,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1132,6 +1130,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-firewall-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1146,8 +1146,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1172,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1186,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1211,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1229,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1246,6 +1244,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-firewall-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-firewall-report" GH_AW_WORKFLOW_ID: "daily-firewall-report" GH_AW_WORKFLOW_NAME: "Daily Firewall Logs Collector and Reporter" @@ -1266,8 +1265,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1293,9 +1290,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1312,6 +1309,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyfirewallreport steps: - name: Checkout actions folder @@ -1323,8 +1321,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1368,8 +1364,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1425,8 +1419,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 1646679135..5072a5749c 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-function-namer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +124,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -191,9 +189,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -237,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -266,10 +264,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfunctionnamer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,17 +285,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -329,9 +327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -339,7 +337,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -350,21 +348,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[function-namer] \". Labels [\"refactoring\" \"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -510,7 +508,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -628,8 +626,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -640,7 +638,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -668,7 +666,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -718,7 +716,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -854,15 +852,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -872,7 +870,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -889,9 +887,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -900,18 +898,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -990,9 +988,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1053,9 +1051,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1099,6 +1097,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-function-namer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1113,8 +1113,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1139,9 +1137,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1153,9 +1151,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1175,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1193,9 +1191,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1209,6 +1207,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-function-namer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-function-namer" GH_AW_WORKFLOW_ID: "daily-function-namer" GH_AW_WORKFLOW_NAME: "Daily Go Function Namer" @@ -1231,8 +1230,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1258,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1277,6 +1274,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyfunctionnamer steps: - name: Checkout actions folder @@ -1288,8 +1286,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index d32743f81c..d3c71bfb5e 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -69,8 +69,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,11 +93,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -118,9 +116,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-issues-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -135,16 +133,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, upload_asset, missing_tool, missing_data, noop @@ -210,9 +208,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -232,10 +230,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -258,11 +256,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -289,10 +287,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyissuesreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -312,14 +308,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -352,7 +350,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -382,9 +380,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -394,20 +392,20 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily issues] \". Discussions will be created in category \"audits\".", @@ -605,7 +603,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -752,8 +750,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -764,7 +762,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -819,7 +817,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -853,7 +851,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -901,15 +899,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -920,7 +918,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -937,9 +935,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -948,18 +946,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1049,9 +1047,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1088,9 +1086,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1136,6 +1134,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-issues-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1150,8 +1150,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1176,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1190,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1214,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1232,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1254,8 +1252,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1264,9 +1260,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1281,6 +1277,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-issues-report" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-issues-report" GH_AW_WORKFLOW_ID: "daily-issues-report" GH_AW_WORKFLOW_NAME: "Daily Issues Report Generator" @@ -1301,8 +1298,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1328,9 +1323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1347,6 +1342,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyissuesreport steps: - name: Checkout actions folder @@ -1358,8 +1354,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1403,8 +1397,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1460,8 +1452,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 9c374b74d7..519882616d 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-malicious-code-scan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,15 +117,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_code_scanning_alert, missing_tool, missing_data, noop @@ -178,9 +176,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -196,10 +194,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -218,11 +216,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -248,10 +246,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymaliciouscodescan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -270,14 +266,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -300,14 +298,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -316,21 +314,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_code_scanning_alert":{"max":0},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.", @@ -487,7 +485,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_code_scanning_alert": { "defaultMax": 40, @@ -613,8 +611,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -625,7 +623,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -654,7 +652,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -689,7 +687,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -727,7 +725,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -765,15 +763,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -782,7 +780,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -799,9 +797,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -810,18 +808,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -869,6 +867,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-malicious-code-scan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -883,8 +883,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -909,9 +907,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -923,9 +921,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -945,9 +943,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -963,9 +961,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -979,6 +977,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-malicious-code-scan" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "malicious-code-scan" GH_AW_WORKFLOW_ID: "daily-malicious-code-scan" GH_AW_WORKFLOW_NAME: "Daily Malicious Code Scan Agent" @@ -999,8 +998,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1026,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index f8c834f3a5..86c4643f28 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-mcp-concurrency-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,16 +117,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_agent_session, missing_tool, missing_data, noop @@ -183,9 +181,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -259,10 +257,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymcpconcurrencyanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,17 +279,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -323,14 +321,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -339,21 +337,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_agent_session":{"max":3},"create_issue":{"expires":168,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[concurrency] \". Labels [\"bug\" \"concurrency\" \"thread-safety\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -524,7 +522,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_agent_session": { "defaultMax": 1, @@ -657,8 +655,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -669,7 +667,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -698,7 +696,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -741,7 +739,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -801,7 +799,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -839,15 +837,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -856,7 +854,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -873,9 +871,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -884,18 +882,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -976,9 +974,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1029,9 +1027,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1075,6 +1073,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-mcp-concurrency-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1089,8 +1089,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1115,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1129,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1151,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1169,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1185,6 +1183,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-mcp-concurrency-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "mcp-concurrency-analysis" GH_AW_WORKFLOW_ID: "daily-mcp-concurrency-analysis" GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" @@ -1209,8 +1208,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1236,9 +1233,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -1249,7 +1246,7 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); - name: Upload Safe Output Items Manifest @@ -1267,6 +1264,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailymcpconcurrencyanalysis steps: - name: Checkout actions folder @@ -1278,8 +1276,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index bb4c4dfeba..4d5617d6a7 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -69,8 +69,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -114,9 +112,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-multi-device-docs-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -132,16 +130,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, upload_asset, missing_tool, missing_data, noop @@ -201,9 +199,9 @@ jobs: GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -220,10 +218,10 @@ jobs: GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -243,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -272,10 +270,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymultidevicedocstester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -295,14 +291,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -325,9 +323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -335,7 +333,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -346,21 +344,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"cookie\"] will be automatically added.", @@ -531,7 +529,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -658,8 +656,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -670,7 +668,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -702,7 +700,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -753,7 +751,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -919,15 +917,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -937,7 +935,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -954,9 +952,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -965,18 +963,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1058,9 +1056,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1121,9 +1119,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1167,6 +1165,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-multi-device-docs-tester" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1181,8 +1181,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1207,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1221,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1243,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1261,9 +1259,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1277,6 +1275,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-multi-device-docs-tester" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-multi-device-docs-tester" GH_AW_WORKFLOW_ID: "daily-multi-device-docs-tester" GH_AW_WORKFLOW_NAME: "Multi-Device Docs Tester" @@ -1299,8 +1298,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1326,9 +1323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1358,8 +1355,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1415,8 +1410,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index f586831981..8306487cbc 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-news.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,17 +121,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -197,9 +195,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -224,10 +222,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -255,11 +253,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -287,10 +285,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailynews outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -311,14 +307,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -412,7 +410,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -429,7 +427,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -452,14 +450,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -468,21 +466,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"daily-news\".", @@ -653,7 +651,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -773,8 +771,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -785,7 +783,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -818,7 +816,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -866,7 +864,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -908,7 +906,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -946,15 +944,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -964,7 +962,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -981,9 +979,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -992,18 +990,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1102,9 +1100,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1155,9 +1153,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1204,6 +1202,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-news" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1218,8 +1218,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,9 +1242,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1258,9 +1256,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1286,9 +1284,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1304,9 +1302,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1318,6 +1316,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1332,8 +1332,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1376,9 +1374,9 @@ jobs: FILE_GLOB_FILTER: "memory/daily-news/*.json memory/daily-news/*.jsonl memory/daily-news/*.csv memory/daily-news/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1393,6 +1391,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-news" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-news-weekday" GH_AW_WORKFLOW_ID: "daily-news" GH_AW_WORKFLOW_NAME: "Daily News" @@ -1413,8 +1412,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1440,9 +1437,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1459,6 +1456,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailynews steps: - name: Checkout actions folder @@ -1470,8 +1468,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1515,8 +1511,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1572,8 +1566,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index bd4354b720..3ca83f722f 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -111,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-observability-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +205,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -261,10 +259,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyobservabilityreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,8 +280,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,7 +315,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -344,9 +342,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -356,7 +354,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -365,10 +363,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -383,27 +381,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[observability] \". Discussions will be created in category \"audits\".", @@ -576,7 +574,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -714,8 +712,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -726,7 +724,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -785,7 +783,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -830,7 +828,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -875,15 +873,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -894,7 +892,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -911,9 +909,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -922,18 +920,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1008,9 +1006,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1047,9 +1045,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1093,6 +1091,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-observability-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1107,8 +1107,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1133,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1147,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1171,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1189,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1211,8 +1209,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1221,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1238,6 +1234,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-observability-report" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-observability-report" GH_AW_WORKFLOW_ID: "daily-observability-report" GH_AW_WORKFLOW_NAME: "Daily Observability Report for AWF Firewall and MCP Gateway" @@ -1258,8 +1255,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1285,9 +1280,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 863111bb71..fb634b0a0f 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-performance-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,16 +125,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, upload_asset, missing_tool, missing_data, noop @@ -196,9 +194,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -217,10 +215,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -242,11 +240,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -273,10 +271,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyperformancesummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,14 +293,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: | mkdir -p /tmp/gh-aw/python/{data,charts,artifacts} @@ -330,7 +328,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -360,14 +358,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -376,21 +374,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily performance] \". Discussions will be created in category \"audits\".", @@ -588,7 +586,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -735,8 +733,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -747,16 +745,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -847,7 +845,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -856,17 +854,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1002,8 +1000,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1083,8 +1081,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1170,7 +1168,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1203,7 +1201,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1238,7 +1236,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1280,7 +1278,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1321,7 +1319,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1359,15 +1357,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1377,7 +1375,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1394,9 +1392,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1405,27 +1403,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1516,9 +1514,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1568,9 +1566,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1616,6 +1614,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-performance-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1630,8 +1630,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1656,9 +1654,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1670,9 +1668,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1695,9 +1693,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1713,9 +1711,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1730,6 +1728,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-performance-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-performance-summary" GH_AW_WORKFLOW_ID: "daily-performance-summary" GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" @@ -1750,8 +1749,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1777,9 +1774,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1796,6 +1793,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyperformancesummary steps: - name: Checkout actions folder @@ -1807,8 +1805,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1852,8 +1848,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1909,8 +1903,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 2664d2b995..59d211d9f8 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-regulatory.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -260,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyregulatory outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,14 +280,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -314,14 +312,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -330,21 +328,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily regulatory] \". Discussions will be created in category \"audits\".", @@ -517,7 +515,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -655,8 +653,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -667,16 +665,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -767,7 +765,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -776,17 +774,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -922,8 +920,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1003,8 +1001,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1090,7 +1088,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1123,7 +1121,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1155,7 +1153,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1197,7 +1195,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1235,7 +1233,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1273,15 +1271,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1291,7 +1289,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1308,9 +1306,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1319,27 +1317,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1415,9 +1413,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1467,9 +1465,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1513,6 +1511,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-regulatory" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1527,8 +1527,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1553,9 +1551,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1567,9 +1565,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1592,9 +1590,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1610,9 +1608,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1627,6 +1625,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-regulatory" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-regulatory" GH_AW_WORKFLOW_ID: "daily-regulatory" GH_AW_WORKFLOW_NAME: "Daily Regulatory Report Generator" @@ -1647,8 +1646,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1674,9 +1671,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index dded9b85f1..ff27072d54 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -112,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-rendering-scripts-verifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,21 +127,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -196,9 +194,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -218,10 +216,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -244,11 +242,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -274,10 +272,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyrenderingscriptsverifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,8 +293,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -334,10 +328,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -367,9 +365,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -377,7 +375,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -388,10 +386,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -406,27 +404,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":72,"max":1,"reviewers":["copilot"],"title_prefix":"[rendering-scripts] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[rendering-scripts] \". Labels [\"rendering\" \"javascript\" \"automated-fix\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -572,7 +570,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -693,8 +691,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -705,7 +703,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -734,7 +732,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -779,7 +777,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -933,15 +931,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -951,7 +949,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -968,9 +966,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -979,18 +977,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1070,9 +1068,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1133,9 +1131,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1180,6 +1178,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-rendering-scripts-verifier" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1194,8 +1194,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1220,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1234,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1258,9 +1256,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1276,9 +1274,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1291,9 +1289,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1313,8 +1311,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1323,9 +1319,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1336,9 +1332,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1355,6 +1351,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-rendering-scripts-verifier" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-rendering-scripts-verifier" GH_AW_WORKFLOW_ID: "daily-rendering-scripts-verifier" GH_AW_WORKFLOW_NAME: "Daily Rendering Scripts Verifier" @@ -1377,8 +1374,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1433,9 +1428,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1452,6 +1447,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyrenderingscriptsverifier steps: - name: Checkout actions folder @@ -1463,8 +1459,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 84256655db..0bb78ffd74 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +84,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-repo-chronicle.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +118,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -265,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyrepochronicle outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,14 +285,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -322,7 +320,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -352,14 +350,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -368,21 +366,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"📰 \". Discussions will be created in category \"announcements\".", @@ -538,7 +536,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -658,8 +656,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -670,7 +668,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -702,7 +700,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -737,7 +735,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -778,7 +776,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -816,15 +814,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -833,7 +831,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -850,9 +848,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -861,18 +859,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -962,9 +960,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1015,9 +1013,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1063,6 +1061,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-repo-chronicle" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1077,8 +1077,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1103,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1117,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1141,9 +1139,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1159,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1176,6 +1174,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-repo-chronicle" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-repo-chronicle" GH_AW_WORKFLOW_ID: "daily-repo-chronicle" GH_AW_WORKFLOW_NAME: "The Daily Repository Chronicle" @@ -1196,8 +1195,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1223,9 +1220,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1242,6 +1239,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailyrepochronicle steps: - name: Checkout actions folder @@ -1253,8 +1251,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1298,8 +1294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1355,8 +1349,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 886fa8b9db..b32949b0df 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -113,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-safe-output-optimizer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,16 +128,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -196,9 +194,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -218,10 +216,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -244,11 +242,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -274,10 +272,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputoptimizer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,8 +293,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -334,7 +328,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -344,7 +342,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -374,9 +372,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -384,7 +382,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -395,10 +393,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -413,27 +411,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[safeoutputs] \". Labels [\"bug\" \"safe-outputs\" \"tool-improvement\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -579,7 +577,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -697,8 +695,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -709,7 +707,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -738,7 +736,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -783,7 +781,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -922,15 +920,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -940,7 +938,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -957,9 +955,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -968,18 +966,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1058,9 +1056,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1121,9 +1119,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1167,6 +1165,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-safe-output-optimizer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1181,8 +1181,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1206,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1219,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1240,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1257,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1279,8 +1277,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1289,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1302,9 +1298,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1318,6 +1314,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-safe-output-optimizer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-safe-output-optimizer" GH_AW_WORKFLOW_NAME: "Daily Safe Output Tool Optimizer" outputs: @@ -1339,8 +1336,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1366,9 +1361,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1385,6 +1380,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputoptimizer steps: - name: Checkout actions folder @@ -1396,8 +1392,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 9d5d143b5e..f69e2f2752 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-safe-outputs-conformance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -225,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -253,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputsconformance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,14 +272,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -306,9 +304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -316,7 +314,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -327,21 +325,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Safe Outputs Conformance] \". Labels [\"safe-outputs\" \"conformance\" \"automated\"] will be automatically added.", @@ -487,7 +485,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -605,8 +603,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -617,7 +615,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -645,7 +643,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -679,7 +677,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -799,15 +797,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -817,7 +815,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -834,9 +832,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -845,18 +843,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -929,9 +927,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -992,9 +990,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1037,6 +1035,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-safe-outputs-conformance" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1051,8 +1051,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1077,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1113,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1131,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1147,6 +1145,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-safe-outputs-conformance" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "safe-outputs-conformance" GH_AW_WORKFLOW_ID: "daily-safe-outputs-conformance" GH_AW_WORKFLOW_NAME: "Daily Safe Outputs Conformance Checker" @@ -1169,8 +1168,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1196,9 +1193,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index f1bbf8eaaa..f493aead00 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-secrets-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,15 +117,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, close_discussion, missing_tool, missing_data, noop @@ -179,9 +177,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -197,10 +195,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -219,11 +217,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -250,10 +248,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysecretsanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,14 +270,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,14 +302,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -320,21 +318,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":10},"create_discussion":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily secrets] \". Discussions will be created in category \"audits\".", @@ -507,7 +505,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -645,8 +643,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -657,7 +655,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -686,7 +684,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -721,7 +719,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -759,7 +757,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -797,15 +795,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -814,7 +812,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -831,9 +829,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -842,18 +840,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -928,9 +926,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -981,9 +979,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1027,6 +1025,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-secrets-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1041,8 +1041,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1081,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1105,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1123,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1140,6 +1138,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-secrets-analysis" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-secrets-analysis" GH_AW_WORKFLOW_ID: "daily-secrets-analysis" GH_AW_WORKFLOW_NAME: "Daily Secrets Analysis Agent" @@ -1160,8 +1159,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1187,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index fd5d48bf2f..c99d108e98 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-security-red-team.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -187,9 +185,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -257,10 +255,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysecurityredteam outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,14 +276,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -310,9 +308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -320,7 +318,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -331,21 +329,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"🚨 [SECURITY]\". Labels [\"security\" \"red-team\"] will be automatically added.", @@ -491,7 +489,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -609,8 +607,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -621,7 +619,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -649,7 +647,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -683,7 +681,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -803,15 +801,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -821,7 +819,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -838,9 +836,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -849,18 +847,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -933,9 +931,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -996,9 +994,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1041,6 +1039,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-security-red-team" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1055,8 +1055,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1081,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1095,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1117,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1135,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1151,6 +1149,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-security-red-team" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "security-red-team" GH_AW_WORKFLOW_ID: "daily-security-red-team" GH_AW_WORKFLOW_NAME: "Daily Security Red Team Agent" @@ -1173,8 +1172,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1200,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index beb1554a8e..369a20d3c7 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-semgrep-scan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_code_scanning_alert, missing_tool, missing_data, noop @@ -183,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -253,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysemgrepscan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,14 +273,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -307,14 +305,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -323,21 +321,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine semgrep/semgrep:latest + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine semgrep/semgrep:latest - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_code_scanning_alert":{"max":0},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.", @@ -494,7 +492,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_code_scanning_alert": { "defaultMax": 40, @@ -620,8 +618,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -632,7 +630,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -661,7 +659,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -709,7 +707,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -746,7 +744,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -784,15 +782,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -802,7 +800,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -819,9 +817,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -830,18 +828,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -916,9 +914,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -968,9 +966,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1013,6 +1011,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-semgrep-scan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1027,8 +1027,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1052,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1065,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1087,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1104,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1120,6 +1118,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-semgrep-scan" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "daily-semgrep-scan" GH_AW_WORKFLOW_NAME: "Daily Semgrep Scan" outputs: @@ -1139,8 +1138,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1166,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index d0537d44a4..36409b28da 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-syntax-error-quality.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,15 +117,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -179,9 +177,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -197,10 +195,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -219,11 +217,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -249,10 +247,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysyntaxerrorquality outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,14 +269,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: @@ -316,27 +314,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":72,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[syntax-error-quality] \". Labels [\"dx\" \"error-messages\" \"automated-analysis\"] will be automatically added.", @@ -482,7 +480,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -600,8 +598,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -612,7 +610,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -640,7 +638,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -674,7 +672,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -733,7 +731,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -771,15 +769,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -788,7 +786,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -805,9 +803,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -816,18 +814,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -902,9 +900,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -955,9 +953,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1000,6 +998,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-syntax-error-quality" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1014,8 +1014,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1040,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1054,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1076,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1094,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1110,6 +1108,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-syntax-error-quality" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-syntax-error-quality" GH_AW_WORKFLOW_ID: "daily-syntax-error-quality" GH_AW_WORKFLOW_NAME: "Daily Syntax Error Quality Check" @@ -1132,8 +1131,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1159,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index ab0fe29394..c9b3686d22 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-team-evolution-insights.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -225,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -256,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyteamevolutioninsights outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,14 +275,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -309,9 +307,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -319,7 +317,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -330,21 +328,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -475,7 +473,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -586,8 +584,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -598,7 +596,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -626,7 +624,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -660,7 +658,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -780,15 +778,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -798,7 +796,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -815,9 +813,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -826,18 +824,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -910,9 +908,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -973,9 +971,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,6 +1017,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-team-evolution-insights" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1033,8 +1033,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1059,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1073,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1097,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1115,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1132,6 +1130,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-team-evolution-insights" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-team-evolution-insights" GH_AW_WORKFLOW_ID: "daily-team-evolution-insights" GH_AW_WORKFLOW_NAME: "Daily Team Evolution Insights" @@ -1152,8 +1151,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1179,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index e3b0176bcc..4829ae2814 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -72,8 +72,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -95,11 +93,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -117,9 +115,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-team-status.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,15 +132,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -192,9 +190,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +209,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -263,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyteamstatus outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,14 +283,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -317,14 +315,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -333,21 +331,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[team-status] \". Labels [\"automation\" \"daily-report\"] will be automatically added.", @@ -493,7 +491,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -611,8 +609,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -623,7 +621,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -652,7 +650,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -687,7 +685,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -724,7 +722,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -762,15 +760,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -780,7 +778,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -797,9 +795,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -808,18 +806,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -894,9 +892,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -946,9 +944,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -991,6 +989,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-team-status" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1005,8 +1005,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1033,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1049,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1074,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1094,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1116,8 +1114,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check stop-time limit id: check_stop_time uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1126,9 +1122,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Daily Team Status" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1142,6 +1138,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-team-status" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-team-status" GH_AW_WORKFLOW_ID: "daily-team-status" GH_AW_WORKFLOW_NAME: "Daily Team Status" @@ -1166,8 +1163,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1193,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 56d6975bf2..feee842cd7 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +89,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-testify-uber-super-expert.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +124,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -196,9 +194,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -221,10 +219,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -250,11 +248,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -280,10 +278,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailytestifyubersuperexpert outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -304,14 +300,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -321,7 +319,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -344,14 +342,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -360,21 +358,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":51200,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[testify-expert] \". Labels [\"testing\" \"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -535,7 +533,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -653,8 +651,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -665,7 +663,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -694,7 +692,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -737,7 +735,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -796,7 +794,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -834,15 +832,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -851,7 +849,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -868,9 +866,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -879,18 +877,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -974,9 +972,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1027,9 +1025,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1073,6 +1071,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-testify-uber-super-expert" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1087,8 +1087,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1113,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1127,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1153,9 +1151,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1171,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1193,8 +1191,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1203,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1216,9 +1212,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); push_repo_memory: @@ -1230,6 +1226,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1244,8 +1242,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1288,9 +1284,9 @@ jobs: FILE_GLOB_FILTER: "memory/testify-expert/*.json memory/testify-expert/*.txt" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1304,6 +1300,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-testify-uber-super-expert" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-testify-uber-super-expert" GH_AW_WORKFLOW_ID: "daily-testify-uber-super-expert" GH_AW_WORKFLOW_NAME: "Daily Testify Uber Super Expert" @@ -1326,8 +1323,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1353,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 7da0cc0688..947d353f5a 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,7 +79,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -98,9 +96,9 @@ jobs: GH_AW_WORKFLOW_FILE: "daily-workflow-updater.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -115,20 +113,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -173,9 +171,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -191,10 +189,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -213,11 +211,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -243,10 +241,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyworkflowupdater outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -267,14 +263,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -297,14 +295,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -313,21 +311,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"title_prefix":"[actions] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[actions] \". Labels [\"dependencies\" \"automation\"] will be automatically added.", @@ -473,7 +471,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -594,8 +592,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -606,7 +604,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -635,7 +633,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -670,7 +668,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -708,7 +706,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -746,15 +744,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -763,7 +761,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -780,9 +778,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -791,18 +789,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -878,9 +876,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -931,9 +929,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -977,6 +975,8 @@ jobs: concurrency: group: "gh-aw-conclusion-daily-workflow-updater" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -991,8 +991,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1017,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1031,9 +1029,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1055,9 +1053,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1073,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1088,9 +1086,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1107,6 +1105,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-workflow-updater" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "daily-workflow-updater" GH_AW_WORKFLOW_ID: "daily-workflow-updater" GH_AW_WORKFLOW_NAME: "Daily Workflow Updater" @@ -1129,8 +1128,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1185,9 +1182,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 534a9f3678..d969247fd5 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +86,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dead-code-remover.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,21 +121,21 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +209,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -238,11 +236,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -268,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: deadcoderemover outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,8 +288,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -306,13 +300,17 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install deadcode analyzer run: go install golang.org/x/tools/cmd/deadcode@latest # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -342,14 +340,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -359,21 +357,21 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":72,"max":1,"reviewers":["copilot"],"title_prefix":"[dead-code] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[dead-code] \". Labels [\"chore\" \"dead-code\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -519,7 +517,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -640,8 +638,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -652,7 +650,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -681,7 +679,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -716,7 +714,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -754,7 +752,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -792,15 +790,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -809,7 +807,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -826,9 +824,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -837,18 +835,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -930,9 +928,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -983,9 +981,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1030,6 +1028,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dead-code-remover" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1044,8 +1044,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1069,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1082,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1105,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1122,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1136,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1158,8 +1156,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1168,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1181,9 +1177,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1200,6 +1196,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dead-code-remover" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dead-code-remover" GH_AW_WORKFLOW_NAME: "Dead Code Removal Agent" outputs: @@ -1221,8 +1218,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1277,9 +1272,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1296,6 +1291,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: deadcoderemover steps: - name: Checkout actions folder @@ -1307,8 +1303,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 96585108e0..1c341b8bd9 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "deep-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,17 +126,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, upload_asset, missing_tool, missing_data, noop @@ -196,9 +194,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -223,10 +221,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -254,11 +252,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -286,10 +284,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: deepreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -309,8 +305,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -346,7 +340,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -357,7 +355,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -374,7 +372,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -397,9 +395,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -409,7 +407,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -418,10 +416,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -436,27 +434,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":1048576,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[deep-report] \". Labels [\"automation\" \"improvement\" \"quick-win\" \"cookie\"] will be automatically added.", @@ -676,7 +674,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -829,8 +827,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -841,7 +839,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -903,7 +901,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -948,7 +946,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -996,15 +994,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1015,7 +1013,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1032,9 +1030,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1043,18 +1041,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1153,9 +1151,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1192,9 +1190,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1241,6 +1239,8 @@ jobs: concurrency: group: "gh-aw-conclusion-deep-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1255,8 +1255,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1281,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1295,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1323,9 +1321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1341,9 +1339,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1355,6 +1353,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1369,8 +1369,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1413,9 +1411,9 @@ jobs: FILE_GLOB_FILTER: "memory/deep-report/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1430,6 +1428,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/deep-report" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "deep-report-intel-agent" GH_AW_WORKFLOW_ID: "deep-report" GH_AW_WORKFLOW_NAME: "DeepReport - Intelligence Gathering Agent" @@ -1452,8 +1451,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1479,9 +1476,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1498,6 +1495,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: deepreport steps: - name: Checkout actions folder @@ -1509,8 +1507,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1554,8 +1550,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1611,8 +1605,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index bfe7c65580..3a954a2702 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +84,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "delight.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,16 +119,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +207,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -237,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -268,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: delight outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,14 +288,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" @@ -312,7 +310,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -335,14 +333,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -351,21 +349,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 2 issue(s) can be created. Labels [\"delight\" \"cookie\"] will be automatically added.", @@ -560,7 +558,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -704,8 +702,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -716,7 +714,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -745,7 +743,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -780,7 +778,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -841,7 +839,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -879,15 +877,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -896,7 +894,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -913,9 +911,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -924,18 +922,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1019,9 +1017,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1072,9 +1070,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1119,6 +1117,8 @@ jobs: concurrency: group: "gh-aw-conclusion-delight" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1133,8 +1133,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1159,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1173,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1202,9 +1200,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1220,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1234,6 +1232,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1248,8 +1248,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1292,9 +1290,9 @@ jobs: FILE_GLOB_FILTER: "memory/delight/*.json memory/delight/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1309,6 +1307,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/delight" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *User experience analysis by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📊 Delight Agent starting! [{workflow_name}]({run_url}) is analyzing user-facing aspects for improvement opportunities...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has identified targeted improvements for user experience.\",\"runFailure\":\"⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}. Please review the logs...\"}" GH_AW_TRACKER_ID: "delight-daily" GH_AW_WORKFLOW_ID: "delight" @@ -1332,8 +1331,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1359,9 +1356,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index e39e2c42b0..904b68f1cf 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dependabot-burner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -184,9 +182,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +201,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -255,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dependabotburner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,14 +275,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -309,14 +307,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -325,21 +323,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[dependabot-burner] \".", @@ -485,7 +483,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -603,8 +601,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -615,7 +613,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -644,7 +642,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -679,7 +677,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -716,7 +714,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -754,15 +752,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -772,7 +770,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -789,9 +787,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -800,18 +798,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -886,9 +884,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -938,9 +936,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -983,6 +981,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dependabot-burner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -997,8 +997,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1022,9 +1020,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1035,9 +1033,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1057,9 +1055,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1074,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1096,8 +1094,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1106,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1122,6 +1118,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dependabot-burner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dependabot-burner" GH_AW_WORKFLOW_NAME: "Dependabot Burner" outputs: @@ -1143,8 +1140,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1170,9 +1165,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 8d8cb6da99..89ce33ce2a 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dependabot-go-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,15 +122,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_issue, missing_tool, missing_data, noop @@ -183,9 +181,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -254,10 +252,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dependabotgochecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,14 +274,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -308,14 +306,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -324,21 +322,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_issue":{"max":20,"required_title_prefix":"[deps]","target":"*"},"create_issue":{"expires":48,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[deps]\". Labels [\"dependencies\" \"go\" \"cookie\"] will be automatically added.", @@ -516,7 +514,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_issue": { "defaultMax": 1, @@ -652,8 +650,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -664,7 +662,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -693,7 +691,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -728,7 +726,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -765,7 +763,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -803,15 +801,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -821,7 +819,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -838,9 +836,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -849,18 +847,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -935,9 +933,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -987,9 +985,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1032,6 +1030,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dependabot-go-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1046,8 +1046,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1071,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1084,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1106,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1123,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1139,6 +1137,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dependabot-go-checker" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dependabot-go-checker" GH_AW_WORKFLOW_NAME: "Dependabot Dependency Checker" outputs: @@ -1160,8 +1159,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1187,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index aed6f1cda9..df8bb4f302 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +89,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dev-hawk.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -131,15 +129,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -193,9 +191,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -218,10 +216,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -247,11 +245,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -277,10 +275,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: devhawk outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -301,8 +297,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -338,7 +332,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -361,14 +359,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -377,10 +375,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -395,27 +393,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *.", @@ -549,7 +547,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -652,8 +650,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -664,7 +662,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -694,7 +692,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -741,7 +739,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -795,7 +793,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -833,15 +831,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -850,7 +848,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -867,9 +865,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -878,18 +876,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -964,9 +962,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1017,9 +1015,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1064,6 +1062,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dev-hawk" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1078,8 +1078,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1103,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1116,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1138,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1155,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1178,8 +1176,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1188,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1206,6 +1202,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dev-hawk" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦅 *Observed from above by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🦅 Dev Hawk circles the sky! [{workflow_name}]({run_url}) is monitoring this {event_type} from above...\",\"runSuccess\":\"🦅 Hawk eyes report! [{workflow_name}]({run_url}) has completed reconnaissance. Intel delivered! 🎯\",\"runFailure\":\"🦅 Hawk down! [{workflow_name}]({run_url}) {status}. The skies grow quiet...\"}" GH_AW_WORKFLOW_ID: "dev-hawk" GH_AW_WORKFLOW_NAME: "Dev Hawk" @@ -1228,8 +1225,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,9 +1250,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ed2887b47b..4615de6c08 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -57,8 +57,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -80,7 +78,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -97,9 +95,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dev.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -114,15 +112,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -169,9 +167,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -187,10 +185,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -209,11 +207,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -239,10 +237,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dev outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -263,14 +259,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -293,14 +291,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -309,21 +307,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[Daily Report] \".", @@ -469,7 +467,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -587,8 +585,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -599,7 +597,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -628,7 +626,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -663,7 +661,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -701,7 +699,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -739,15 +737,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -756,7 +754,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -773,9 +771,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -784,18 +782,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -870,9 +868,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -923,9 +921,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -968,6 +966,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dev" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -982,8 +982,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1007,9 +1005,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1020,9 +1018,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1041,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1058,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1074,6 +1072,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dev" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dev" GH_AW_WORKFLOW_NAME: "Dev" outputs: @@ -1095,8 +1094,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 2ba5be4e7d..7031ec4d74 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "developer-docs-consolidator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,22 +125,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -198,9 +196,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -225,10 +223,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -286,10 +284,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: developerdocsconsolidator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -309,8 +305,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,7 +315,11 @@ jobs: node-version: '24' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install QMD run: npm install -g @tobilu/qmd - name: Restore QMD index cache @@ -336,7 +334,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -353,7 +351,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -376,9 +374,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -386,7 +384,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -397,21 +395,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -606,7 +604,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -753,8 +751,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -765,16 +763,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -802,7 +800,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -811,17 +809,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -833,7 +831,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -865,7 +863,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -895,7 +893,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -952,7 +950,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1101,15 +1099,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1119,7 +1117,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1136,9 +1134,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1147,27 +1145,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1257,9 +1255,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1320,9 +1318,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1369,6 +1367,8 @@ jobs: concurrency: group: "gh-aw-conclusion-developer-docs-consolidator" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1383,8 +1383,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1408,9 +1406,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1421,9 +1419,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1450,9 +1448,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1467,9 +1465,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1481,9 +1479,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1495,6 +1493,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1509,8 +1509,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1553,9 +1551,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1573,6 +1571,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/developer-docs-consolidator" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "developer-docs-consolidator" GH_AW_WORKFLOW_NAME: "Developer Documentation Consolidator" outputs: @@ -1594,8 +1593,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1650,9 +1647,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1669,6 +1666,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: developerdocsconsolidator steps: - name: Checkout actions folder @@ -1680,8 +1678,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index b1fa339dc6..59ad47d508 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +83,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,9 +100,9 @@ jobs: GH_AW_WORKFLOW_FILE: "dictation-prompt.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -119,20 +117,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -183,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -253,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dictationprompt outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,8 +273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -289,7 +283,11 @@ jobs: node-version: '24' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install QMD run: npm install -g @tobilu/qmd - name: Restore QMD index cache @@ -324,14 +322,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -340,21 +338,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"auto_merge":true,"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added.", @@ -500,7 +498,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -621,8 +619,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -633,16 +631,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -670,7 +668,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -679,17 +677,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -701,7 +699,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -733,7 +731,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -764,7 +762,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -806,7 +804,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -844,7 +842,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -882,15 +880,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -899,7 +897,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -916,9 +914,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -927,27 +925,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1024,9 +1022,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1077,9 +1075,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1123,6 +1121,8 @@ jobs: concurrency: group: "gh-aw-conclusion-dictation-prompt" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1137,8 +1137,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1162,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1175,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1198,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1215,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1229,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1248,6 +1246,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dictation-prompt" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "dictation-prompt" GH_AW_WORKFLOW_NAME: "Dictation Prompt Generator" outputs: @@ -1269,8 +1268,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1325,9 +1322,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 2107688801..1afac9ce93 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +87,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -106,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "discussion-task-miner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +122,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, missing_tool, missing_data, noop @@ -186,9 +184,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +208,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -238,11 +236,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -269,10 +267,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: discussiontaskminer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -293,14 +289,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" @@ -313,7 +311,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,27 +334,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3},"create_issue":{"expires":24,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[Code Quality] \". Labels [\"code-quality\" \"automation\" \"task-mining\"] will be automatically added.", @@ -554,7 +552,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -690,8 +688,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -702,7 +700,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -730,7 +728,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -765,7 +763,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -824,7 +822,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -862,15 +860,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -879,7 +877,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -896,9 +894,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -907,18 +905,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1002,9 +1000,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1055,9 +1053,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1103,6 +1101,8 @@ jobs: concurrency: group: "gh-aw-conclusion-discussion-task-miner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1117,8 +1117,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1143,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1157,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1184,9 +1182,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1202,9 +1200,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1216,6 +1214,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1230,8 +1230,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1274,9 +1272,9 @@ jobs: FILE_GLOB_FILTER: "memory/discussion-task-miner/*.json memory/discussion-task-miner/*.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1292,6 +1290,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/discussion-task-miner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Task mining by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 Discussion Task Miner starting! [{workflow_name}]({run_url}) is scanning discussions for code quality improvements...\",\"runSuccess\":\"✅ Task mining complete! [{workflow_name}]({run_url}) has identified actionable code quality tasks. 📊\",\"runFailure\":\"⚠️ Task mining interrupted! [{workflow_name}]({run_url}) {status}. Please review the logs...\"}" GH_AW_TRACKER_ID: "discussion-task-miner" GH_AW_WORKFLOW_ID: "discussion-task-miner" @@ -1317,8 +1316,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1344,9 +1341,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 18a0ab610a..aab8e58b28 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +84,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -103,9 +101,9 @@ jobs: GH_AW_WORKFLOW_FILE: "docs-noob-tester.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -120,16 +118,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -186,9 +184,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -204,10 +202,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -256,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: docsnoobtester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,14 +276,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -310,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -326,21 +324,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -496,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -616,8 +614,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -628,7 +626,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -661,7 +659,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -703,7 +701,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -744,7 +742,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -782,15 +780,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -799,7 +797,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -816,9 +814,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -827,18 +825,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -922,9 +920,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -975,9 +973,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1022,6 +1020,8 @@ jobs: concurrency: group: "gh-aw-conclusion-docs-noob-tester" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1036,8 +1036,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1061,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1074,9 +1072,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1097,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1114,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1131,6 +1129,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/docs-noob-tester" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "docs-noob-tester" GH_AW_WORKFLOW_NAME: "Documentation Noob Tester" outputs: @@ -1150,8 +1149,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1177,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1209,8 +1206,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1265,8 +1260,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 866ae7233f..32ced25a7d 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -81,7 +79,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -98,9 +96,9 @@ jobs: GH_AW_WORKFLOW_FILE: "draft-pr-cleanup.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -115,15 +113,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, close_pull_request, add_labels, missing_tool, missing_data, noop @@ -172,9 +170,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -190,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -212,11 +210,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -241,10 +239,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: draftprcleanup outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -265,14 +261,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -295,14 +293,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -311,21 +309,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":20},"add_labels":{"max":20},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Close a pull request WITHOUT merging, adding a closing comment. You can and should always add a comment when closing a PR to explain the action or provide context. Use this for PRs that should be abandoned, superseded, or closed for other reasons. The closing comment should explain why the PR is being closed. This does NOT merge the changes. If the PR is already closed, a comment will still be posted. CONSTRAINTS: Maximum 10 pull request(s) can be closed. Target: *.", @@ -520,7 +518,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -642,8 +640,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -654,7 +652,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -683,7 +681,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -718,7 +716,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -772,7 +770,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -810,15 +808,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -827,7 +825,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -844,9 +842,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -855,18 +853,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -941,9 +939,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -994,9 +992,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1041,6 +1039,8 @@ jobs: concurrency: group: "gh-aw-conclusion-draft-pr-cleanup" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1055,8 +1055,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1080,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1093,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1115,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1132,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1150,6 +1148,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/draft-pr-cleanup" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🧹 Starting draft PR cleanup... [{workflow_name}]({run_url}) is reviewing draft PRs for staleness\",\"runSuccess\":\"✅ Draft PR cleanup complete! [{workflow_name}]({run_url}) has reviewed and processed stale drafts.\",\"runFailure\":\"❌ Draft PR cleanup failed! [{workflow_name}]({run_url}) {status}. Some draft PRs may not be processed.\"}" GH_AW_WORKFLOW_ID: "draft-pr-cleanup" GH_AW_WORKFLOW_NAME: "Draft PR Cleanup" @@ -1172,8 +1171,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1199,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 6ca135b236..f9c45ead97 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "duplicate-code-detector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -193,9 +191,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +233,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -264,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: duplicatecodedetector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,14 +283,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -317,9 +315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -329,7 +327,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -338,21 +336,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [\"copilot\"] will be automatically assigned.", @@ -498,7 +496,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -616,8 +614,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -628,7 +626,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -697,7 +695,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -747,7 +745,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -792,15 +790,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -811,7 +809,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -828,9 +826,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -839,18 +837,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -925,9 +923,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -964,9 +962,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1009,6 +1007,8 @@ jobs: concurrency: group: "gh-aw-conclusion-duplicate-code-detector" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1023,8 +1023,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1048,9 +1046,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1061,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1082,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1099,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1115,6 +1113,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/duplicate-code-detector" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "duplicate-code-detector" GH_AW_WORKFLOW_NAME: "Duplicate Code Detector" outputs: @@ -1136,8 +1135,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1164,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1176,9 +1173,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_copilot_to_created_issues.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 9006985419..5cdb6c77c1 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -56,8 +56,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,11 +77,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -101,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "example-permissions-warning.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -117,14 +115,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -168,9 +166,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -186,10 +184,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -208,11 +206,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -231,6 +229,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: examplepermissionswarning outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -246,14 +245,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -276,14 +277,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -292,10 +293,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -320,7 +321,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -348,7 +349,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -384,7 +385,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -422,15 +423,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -440,7 +441,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -448,18 +449,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 00b95b0163..bcf52db452 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "example-workflow-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -183,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -253,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: exampleworkflowanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,8 +272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -313,7 +307,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -346,7 +344,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -357,10 +355,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -375,27 +373,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[workflow-analysis] \". Discussions will be created in category \"audits\".", @@ -526,7 +524,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -637,8 +635,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -649,7 +647,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -678,7 +676,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -723,7 +721,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -843,15 +841,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -861,7 +859,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -878,9 +876,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -889,18 +887,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -973,9 +971,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1036,9 +1034,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1082,6 +1080,8 @@ jobs: concurrency: group: "gh-aw-conclusion-example-workflow-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1096,8 +1096,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1121,9 +1119,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1134,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1157,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1174,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1191,6 +1189,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/example-workflow-analyzer" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "example-workflow-analyzer" GH_AW_WORKFLOW_NAME: "Weekly Workflow Analysis" outputs: @@ -1210,8 +1209,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1237,9 +1234,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index f7e97f8468..c610c263b3 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,7 +92,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -111,18 +109,18 @@ jobs: GH_AW_WORKFLOW_FILE: "firewall-escape.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -138,17 +136,17 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -196,9 +194,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -224,10 +222,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -286,10 +284,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: firewallescape outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -310,17 +306,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -337,7 +335,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -360,14 +358,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -376,21 +374,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":524288,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Firewall Escape] \". Discussions will be created in category \"audits\".", @@ -536,7 +534,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -647,8 +645,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -659,7 +657,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -688,7 +686,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -723,7 +721,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -761,7 +759,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -799,15 +797,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -816,7 +814,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -833,9 +831,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -844,18 +842,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -945,9 +943,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -998,9 +996,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1046,6 +1044,8 @@ jobs: concurrency: group: "gh-aw-conclusion-firewall-escape" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1060,8 +1060,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1086,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1100,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1128,9 +1126,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1146,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); post-issue: @@ -1200,8 +1198,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1210,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1224,6 +1220,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1238,8 +1236,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1281,9 +1277,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1298,6 +1294,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/firewall-escape" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "firewall-escape" GH_AW_WORKFLOW_ID: "firewall-escape" GH_AW_WORKFLOW_NAME: "The Great Escapi" @@ -1318,8 +1315,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1345,9 +1340,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1364,6 +1359,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: firewallescape steps: - name: Checkout actions folder @@ -1375,8 +1371,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index f589a64d33..fd86b79fa7 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -56,8 +56,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,11 +77,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -101,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "firewall.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -117,14 +115,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -170,9 +168,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -188,10 +186,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -210,11 +208,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -233,6 +231,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: firewall outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -248,14 +247,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -278,14 +279,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -294,10 +295,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -322,7 +323,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -350,7 +351,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -386,7 +387,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -424,15 +425,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -442,7 +443,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -450,18 +451,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 2acebf9362..f2aec5e0ac 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "functional-pragmatist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,20 +122,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -187,9 +185,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -227,11 +225,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -256,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: functionalpragmatist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,14 +276,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -310,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -326,21 +324,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"reviewers":["copilot"],"title_prefix":"[fp-enhancer] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[fp-enhancer] \". Labels [\"refactoring\" \"functional\" \"immutability\" \"code-quality\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -486,7 +484,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -607,8 +605,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -619,7 +617,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -648,7 +646,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -683,7 +681,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -720,7 +718,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -758,15 +756,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -776,7 +774,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -793,9 +791,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -804,18 +802,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -891,9 +889,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -943,9 +941,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -989,6 +987,8 @@ jobs: concurrency: group: "gh-aw-conclusion-functional-pragmatist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,8 +1003,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1029,9 +1027,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1043,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1068,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1086,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1101,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1120,6 +1118,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/functional-pragmatist" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "functional-pragmatist" GH_AW_WORKFLOW_ID: "functional-pragmatist" GH_AW_WORKFLOW_NAME: "Functional Pragmatist" @@ -1142,8 +1141,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 7e6362be65..2e355eda5a 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-mcp-structural-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -191,9 +189,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -237,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -269,10 +267,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubmcpstructuralanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,14 +288,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -325,7 +323,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -355,9 +353,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -365,7 +363,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -376,21 +374,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[mcp-analysis] \". Discussions will be created in category \"audits\".", @@ -546,7 +544,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -666,8 +664,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -678,7 +676,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -709,7 +707,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -743,7 +741,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -870,15 +868,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -888,7 +886,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -905,9 +903,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -916,18 +914,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1015,9 +1013,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1078,9 +1076,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1126,6 +1124,8 @@ jobs: concurrency: group: "gh-aw-conclusion-github-mcp-structural-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1140,8 +1140,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1165,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1178,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1201,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1218,9 +1216,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1235,6 +1233,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-mcp-structural-analysis" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "github-mcp-structural-analysis" GH_AW_WORKFLOW_NAME: "GitHub MCP Structural Analysis" outputs: @@ -1254,8 +1253,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1281,9 +1278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1300,6 +1297,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: githubmcpstructuralanalysis steps: - name: Checkout actions folder @@ -1311,8 +1309,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1356,8 +1352,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1412,8 +1406,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 8e9edb2701..3c82b54573 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-mcp-tools-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,21 +123,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -266,10 +264,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubmcptoolsreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,17 +285,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -329,9 +327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -339,7 +337,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -350,21 +348,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[mcp-tools] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -544,7 +542,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -691,8 +689,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -703,7 +701,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -731,7 +729,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -766,7 +764,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -890,15 +888,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -908,7 +906,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -925,9 +923,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -936,18 +934,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1027,9 +1025,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1090,9 +1088,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1138,6 +1136,8 @@ jobs: concurrency: group: "gh-aw-conclusion-github-mcp-tools-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1152,8 +1152,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1177,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1190,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1215,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1232,9 +1230,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1246,9 +1244,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1266,6 +1264,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-mcp-tools-report" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "github-mcp-tools-report" GH_AW_WORKFLOW_NAME: "GitHub MCP Remote Server Tools Report Generator" outputs: @@ -1287,8 +1286,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1343,9 +1340,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1362,6 +1359,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: githubmcptoolsreport steps: - name: Checkout actions folder @@ -1373,8 +1371,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 69c2a219ad..19bb8b48a6 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "github-remote-mcp-auth-test.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,15 +120,15 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -180,9 +178,9 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -199,10 +197,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -251,10 +249,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubremotemcpauthtest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,14 +271,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -305,14 +303,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -321,21 +319,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[auth-test] \". Discussions will be created in category \"audits\".", @@ -466,7 +464,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -577,8 +575,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -589,7 +587,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -619,7 +617,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_PERSONAL_ACCESS_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -662,7 +660,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -699,7 +697,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -737,15 +735,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -755,7 +753,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -772,9 +770,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -783,18 +781,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -869,9 +867,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -921,9 +919,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -967,6 +965,8 @@ jobs: concurrency: group: "gh-aw-conclusion-github-remote-mcp-auth-test" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -981,8 +981,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1006,9 +1004,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1019,9 +1017,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1043,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1060,9 +1058,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1078,6 +1076,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-remote-mcp-auth-test" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "github-remote-mcp-auth-test" GH_AW_WORKFLOW_NAME: "GitHub Remote MCP Authentication Test" outputs: @@ -1097,8 +1096,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1124,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 23dfc38386..ad68103c87 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "glossary-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,22 +125,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -200,9 +198,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -227,10 +225,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -258,11 +256,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -288,10 +286,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: glossarymaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -312,8 +308,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -325,9 +319,9 @@ jobs: GH_AW_AGENT_IMPORT_SPEC: "../agents/technical-doc-writer.agent.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/merge_remote_agent_github_folder.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -335,7 +329,11 @@ jobs: node-version: '24' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install QMD run: npm install -g @tobilu/qmd - name: Restore QMD index cache @@ -350,7 +348,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -367,7 +365,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -390,14 +388,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -406,21 +404,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"glossary\"] will be automatically added.", @@ -581,7 +579,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -702,8 +700,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -714,16 +712,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -751,7 +749,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -760,17 +758,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -782,7 +780,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -814,7 +812,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -845,7 +843,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -895,7 +893,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -961,7 +959,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -999,15 +997,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1017,7 +1015,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1034,9 +1032,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1045,27 +1043,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1157,9 +1155,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1209,9 +1207,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1257,6 +1255,8 @@ jobs: concurrency: group: "gh-aw-conclusion-glossary-maintainer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1271,8 +1271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1296,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1309,9 +1307,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1337,9 +1335,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1354,9 +1352,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1368,9 +1366,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1382,6 +1380,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1396,8 +1396,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1440,9 +1438,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1459,6 +1457,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/glossary-maintainer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "glossary-maintainer" GH_AW_WORKFLOW_NAME: "Glossary Maintainer" outputs: @@ -1480,8 +1479,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1536,9 +1533,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1555,6 +1552,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: glossarymaintainer steps: - name: Checkout actions folder @@ -1566,8 +1564,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 03f263968e..d648f396ce 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-fan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -190,9 +188,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -266,10 +264,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gofan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,17 +285,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -329,9 +327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -339,7 +337,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -350,21 +348,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[go-fan] \". Discussions will be created in category \"audits\".", @@ -495,7 +493,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -606,8 +604,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -618,7 +616,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -646,7 +644,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -696,7 +694,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -838,15 +836,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -856,7 +854,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -873,9 +871,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -884,18 +882,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -974,9 +972,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1037,9 +1035,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1084,6 +1082,8 @@ jobs: concurrency: group: "gh-aw-conclusion-go-fan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1098,8 +1098,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1124,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1138,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1162,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1180,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1197,6 +1195,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-fan" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "go-fan-daily" GH_AW_WORKFLOW_ID: "go-fan" GH_AW_WORKFLOW_NAME: "Go Fan" @@ -1217,8 +1216,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1263,6 +1260,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: gofan steps: - name: Checkout actions folder @@ -1274,8 +1272,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 09e18df46a..7476f08fb1 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-logger.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,21 +123,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -187,9 +185,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -233,11 +231,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -262,10 +260,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gologger outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,8 +281,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -299,7 +293,11 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: @@ -311,7 +309,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -341,9 +339,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -351,7 +349,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -362,21 +360,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[log] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[log] \". Labels [\"enhancement\" \"automation\"] will be automatically added.", @@ -522,7 +520,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -643,8 +641,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -655,16 +653,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "go", @@ -705,7 +703,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -714,17 +712,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -736,8 +734,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -748,7 +746,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -780,7 +778,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -810,7 +808,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -851,7 +849,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1003,15 +1001,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1021,7 +1019,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1038,9 +1036,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1049,27 +1047,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1150,9 +1148,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1213,9 +1211,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1260,6 +1258,8 @@ jobs: concurrency: group: "gh-aw-conclusion-go-logger" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1274,8 +1274,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1299,9 +1297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1312,9 +1310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1335,9 +1333,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1352,9 +1350,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1366,9 +1364,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1385,6 +1383,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-logger" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "go-logger" GH_AW_WORKFLOW_NAME: "Go Logger Enhancement" outputs: @@ -1406,8 +1405,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1462,9 +1459,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1481,6 +1478,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: gologger steps: - name: Checkout actions folder @@ -1492,8 +1490,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 9f691edb20..e6d08494a8 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "go-pattern-detector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -190,9 +188,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -232,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -264,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gopatterndetector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,14 +283,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -317,9 +315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -327,7 +325,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -338,21 +336,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/ast-grep:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/ast-grep:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ast-grep] \". Labels [\"code-quality\" \"ast-grep\" \"cookie\"] will be automatically added.", @@ -498,7 +496,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -616,8 +614,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -628,7 +626,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -656,7 +654,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "ast-grep": { @@ -697,7 +695,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -818,15 +816,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -836,7 +834,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -853,9 +851,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -864,18 +862,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -948,9 +946,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1011,9 +1009,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1090,6 +1088,8 @@ jobs: concurrency: group: "gh-aw-conclusion-go-pattern-detector" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1104,8 +1104,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,9 +1127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1142,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1163,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1180,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1196,6 +1194,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-pattern-detector" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "go-pattern-detector" GH_AW_WORKFLOW_NAME: "Go Pattern Detector" outputs: @@ -1217,8 +1216,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,9 +1241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index e02c9257d9..6258d11ab9 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "gpclean.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -231,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -260,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gpclean outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,14 +280,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -300,7 +298,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -330,14 +328,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -346,21 +344,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[gpl-dependency]\". Labels [\"dependency-cleaner\"] will be automatically added.", @@ -506,7 +504,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -624,8 +622,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -636,7 +634,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -665,7 +663,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -700,7 +698,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -737,7 +735,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -775,15 +773,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -793,7 +791,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -810,9 +808,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -821,18 +819,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -913,9 +911,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -965,9 +963,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1011,6 +1009,8 @@ jobs: concurrency: group: "gh-aw-conclusion-gpclean" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1025,8 +1025,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1050,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1063,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1085,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1102,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1118,6 +1116,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/gpclean" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "gpclean" GH_AW_WORKFLOW_NAME: "GPL Dependency Cleaner (gpclean)" outputs: @@ -1139,8 +1138,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1166,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1185,6 +1182,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: gpclean steps: - name: Checkout actions folder @@ -1196,8 +1194,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 02cab7045d..6f896dfd39 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,11 +99,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -126,9 +124,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -136,18 +134,18 @@ jobs: GH_AW_WORKFLOW_FILE: "grumpy-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -164,16 +162,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -208,7 +206,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -226,9 +224,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -251,10 +249,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -280,11 +278,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -306,10 +304,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: grumpyreviewer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -330,17 +326,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -370,27 +368,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. CONSTRAINTS: Maximum 5 review comment(s) can be created. Comments will be on the RIGHT side of the diff.", @@ -571,7 +569,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request_review_comment": { "defaultMax": 1, @@ -708,8 +706,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -720,7 +718,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -748,7 +746,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -783,7 +781,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -820,7 +818,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -858,15 +856,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -876,7 +874,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -894,9 +892,9 @@ jobs: GH_AW_COMMAND: grumpy with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -905,18 +903,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -997,9 +995,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1049,9 +1047,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1095,6 +1093,8 @@ jobs: concurrency: group: "gh-aw-conclusion-grumpy-reviewer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1109,8 +1109,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1134,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1147,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1170,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1187,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1213,8 +1211,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1223,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1234,9 +1230,9 @@ jobs: GH_AW_COMMANDS: "[\"grumpy\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1250,6 +1246,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/grumpy-reviewer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time.\",\"runSuccess\":\"😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄\",\"runFailure\":\"😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse...\"}" GH_AW_WORKFLOW_ID: "grumpy-reviewer" GH_AW_WORKFLOW_NAME: "Grumpy Code Reviewer 🔥" @@ -1270,8 +1267,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1297,9 +1292,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1316,6 +1311,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: grumpyreviewer steps: - name: Checkout actions folder @@ -1327,8 +1323,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 99bc5f0b06..4801056b48 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "hourly-ci-cleaner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,20 +127,20 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_RUN_ID: ${{ needs.check_ci_status.outputs.ci_run_id }} GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -194,9 +192,9 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -215,10 +213,10 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -240,11 +238,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -273,10 +271,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: hourlycicleaner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,8 +293,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -310,9 +304,9 @@ jobs: GH_AW_AGENT_IMPORT_SPEC: "../agents/ci-cleaner.agent.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/merge_remote_agent_github_folder.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -322,7 +316,11 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install Make run: | sudo apt-get update @@ -360,14 +358,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -376,21 +374,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ca] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ca] \".", @@ -536,7 +534,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -657,8 +655,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -669,7 +667,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -698,7 +696,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -733,7 +731,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -770,7 +768,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -808,15 +806,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -826,7 +824,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -843,9 +841,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -854,18 +852,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -941,9 +939,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -993,9 +991,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1086,6 +1084,8 @@ jobs: concurrency: group: "gh-aw-conclusion-hourly-ci-cleaner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1100,8 +1100,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1126,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1142,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1167,9 +1165,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1185,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1200,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1219,6 +1217,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/hourly-ci-cleaner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "hourly-ci-cleaner" GH_AW_WORKFLOW_ID: "hourly-ci-cleaner" GH_AW_WORKFLOW_NAME: "CI Cleaner" @@ -1241,8 +1240,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1297,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index b351d85662..18bb3514d7 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "instructions-janitor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,21 +119,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -180,9 +178,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -226,11 +224,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -255,10 +253,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: instructionsjanitor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,17 +274,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -318,9 +316,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -328,7 +326,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -339,21 +337,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[instructions] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[instructions] \". Labels [\"documentation\" \"automation\" \"instructions\"] will be automatically added.", @@ -499,7 +497,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -620,8 +618,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -632,7 +630,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -660,7 +658,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -694,7 +692,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -841,15 +839,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -859,7 +857,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -876,9 +874,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -887,18 +885,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -978,9 +976,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1041,9 +1039,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1088,6 +1086,8 @@ jobs: concurrency: group: "gh-aw-conclusion-instructions-janitor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1102,8 +1102,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1127,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1140,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1163,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1180,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1194,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1213,6 +1211,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/instructions-janitor" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "instructions-janitor" GH_AW_WORKFLOW_NAME: "Instructions Janitor" outputs: @@ -1234,8 +1233,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1290,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1309,6 +1306,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: instructionsjanitor steps: - name: Checkout actions folder @@ -1320,8 +1318,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 377be0bd05..d1ba1b88eb 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -113,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-arborist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,15 +128,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, link_sub_issue, missing_tool, missing_data, noop @@ -192,9 +190,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -232,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -260,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuearborist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,14 +279,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -321,9 +319,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -333,20 +331,20 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_issue":{"expires":48,"group":true,"max":5},"link_sub_issue":{"max":50},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[Parent] \".", @@ -562,7 +560,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -724,8 +722,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -736,7 +734,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -788,7 +786,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -822,7 +820,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -867,15 +865,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -886,7 +884,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -903,9 +901,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -914,18 +912,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1000,9 +998,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1039,9 +1037,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1085,6 +1083,8 @@ jobs: concurrency: group: "gh-aw-conclusion-issue-arborist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1099,8 +1099,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1124,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1137,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1160,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1177,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1194,6 +1192,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-arborist" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "issue-arborist" GH_AW_WORKFLOW_NAME: "Issue Arborist" outputs: @@ -1215,8 +1214,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1242,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index c92c3c5000..d50809b157 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,11 +95,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -119,9 +117,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-monster.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -139,15 +137,15 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST: ${{ needs.search_issues.outputs.issue_list }} GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_agent, missing_tool, missing_data, noop @@ -201,9 +199,9 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -223,10 +221,10 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -249,11 +247,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -280,10 +278,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuemonster outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -304,14 +300,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -334,27 +332,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3,"target":"*"},"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 3 comment(s) can be added. Target: *.", @@ -528,7 +526,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -656,8 +654,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -668,7 +666,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -696,7 +694,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -731,7 +729,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -768,7 +766,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -806,15 +804,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -824,7 +822,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -841,9 +839,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -852,18 +850,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -938,9 +936,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -990,9 +988,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1037,6 +1035,8 @@ jobs: concurrency: group: "gh-aw-conclusion-issue-monster" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1051,8 +1051,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1076,9 +1074,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1089,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1114,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1131,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1153,8 +1151,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1163,9 +1159,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1176,9 +1172,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "5" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); - name: Check skip-if-no-match query id: check_skip_if_no_match @@ -1189,9 +1185,9 @@ jobs: GH_AW_SKIP_MIN_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_no_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_no_match.cjs'); await main(); safe_outputs: @@ -1208,6 +1204,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-monster" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🍪 *Om nom nom by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🍪 ISSUE! ISSUE! [{workflow_name}]({run_url}) hungry for issues on this {event_type}! Om nom nom...\",\"runSuccess\":\"🍪 YUMMY! [{workflow_name}]({run_url}) ate the issues! That was DELICIOUS! Me want MORE! 😋\",\"runFailure\":\"🍪 Aww... [{workflow_name}]({run_url}) {status}. No cookie for monster today... 😢\"}" GH_AW_WORKFLOW_ID: "issue-monster" GH_AW_WORKFLOW_NAME: "Issue Monster" @@ -1233,8 +1230,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1260,9 +1255,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1276,9 +1271,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require('${GH_AW_HOME}/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 6281f82cd9..2c9e595476 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "issue-triage-agent.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, add_labels, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -225,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -253,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuetriageagent outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -276,14 +272,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -297,22 +295,22 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["bug","feature","enhancement","documentation","question","help-wanted","good-first-issue"],"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -475,7 +473,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -597,8 +595,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -609,7 +607,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -637,7 +635,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -672,7 +670,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -709,7 +707,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -747,15 +745,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -765,7 +763,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -782,9 +780,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -793,18 +791,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -879,9 +877,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -931,9 +929,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -978,6 +976,8 @@ jobs: concurrency: group: "gh-aw-conclusion-issue-triage-agent" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -992,8 +992,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1017,9 +1015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1030,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1051,9 +1049,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1068,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1086,6 +1084,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-triage-agent" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "issue-triage-agent" GH_AW_WORKFLOW_NAME: "Issue Triage Agent" outputs: @@ -1107,8 +1106,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1134,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index b3aba5b0f6..fe817c1009 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "jsweep.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,21 +119,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -182,9 +180,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -203,10 +201,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -258,10 +256,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: jsweep outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,8 +278,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -294,14 +288,18 @@ jobs: node-version: '20' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install Node.js dependencies run: npm install working-directory: actions/setup/js # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -331,14 +329,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -347,21 +345,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"draft":true,"expires":48,"max":1,"title_prefix":"[jsweep] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[jsweep] \". Labels [\"unbloat\" \"automation\"] will be automatically added. PRs will be created as drafts.", @@ -507,7 +505,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -628,8 +626,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -640,7 +638,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -669,7 +667,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -712,7 +710,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -749,7 +747,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -787,15 +785,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -805,7 +803,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -822,9 +820,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -833,18 +831,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -926,9 +924,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -978,9 +976,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1025,6 +1023,8 @@ jobs: concurrency: group: "gh-aw-conclusion-jsweep" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1039,8 +1039,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1065,9 +1063,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1079,9 +1077,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1104,9 +1102,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1122,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1137,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1156,6 +1154,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/jsweep" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "jsweep-daily" GH_AW_WORKFLOW_ID: "jsweep" GH_AW_WORKFLOW_NAME: "jsweep - JavaScript Unbloater" @@ -1178,8 +1177,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1234,9 +1231,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1253,6 +1250,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: jsweep steps: - name: Checkout actions folder @@ -1264,8 +1262,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 974d790fc7..dea4b9acb9 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,11 +81,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "layout-spec-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -122,20 +120,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -180,9 +178,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -198,10 +196,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -220,11 +218,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -249,10 +247,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: layoutspecmaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,14 +269,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache configuration from frontmatter processed below - name: Cache layout spec data uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 @@ -310,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -326,21 +324,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[specs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[specs] \". Labels [\"documentation\" \"automation\"] will be automatically added.", @@ -486,7 +484,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -607,8 +605,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -619,7 +617,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -648,7 +646,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -683,7 +681,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -749,7 +747,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -787,15 +785,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -805,7 +803,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -822,9 +820,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -833,18 +831,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -920,9 +918,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -972,9 +970,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1018,6 +1016,8 @@ jobs: concurrency: group: "gh-aw-conclusion-layout-spec-maintainer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1032,8 +1032,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1058,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1072,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1097,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1115,9 +1113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1130,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1149,6 +1147,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/layout-spec-maintainer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "layout-spec-maintainer" GH_AW_WORKFLOW_ID: "layout-spec-maintainer" GH_AW_WORKFLOW_NAME: "Layout Specification Maintainer" @@ -1171,8 +1170,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1227,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 4c517b3883..00b7fb99b6 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "lockfile-stats.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -231,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -260,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: lockfilestats outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,17 +279,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -323,9 +321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -333,7 +331,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -344,21 +342,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -489,7 +487,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -600,8 +598,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -612,7 +610,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -640,7 +638,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -674,7 +672,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -798,15 +796,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -816,7 +814,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -833,9 +831,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -844,18 +842,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -934,9 +932,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -997,9 +995,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1044,6 +1042,8 @@ jobs: concurrency: group: "gh-aw-conclusion-lockfile-stats" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1058,8 +1058,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1083,9 +1081,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1096,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1119,9 +1117,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1136,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1153,6 +1151,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/lockfile-stats" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "lockfile-stats" GH_AW_WORKFLOW_NAME: "Lockfile Statistics Analysis Agent" outputs: @@ -1172,8 +1171,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1199,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1218,6 +1215,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: lockfilestats steps: - name: Checkout actions folder @@ -1229,8 +1227,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 6aacc72bf4..1e87d239be 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -78,8 +78,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -101,11 +99,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -123,9 +121,9 @@ jobs: GH_AW_WORKFLOW_FILE: "mcp-inspector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -140,16 +138,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -244,9 +242,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -265,10 +263,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -290,11 +288,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -320,10 +318,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: mcpinspector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -344,8 +340,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -392,10 +386,14 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -425,14 +423,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -441,10 +439,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -459,27 +457,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"},"post-to-slack-channel":{"description":"Post a message to a Slack channel. Message must be 200 characters or less. Supports basic Slack markdown: *bold*, _italic_, ~strike~, `code`, ```code block```, \u003equote, and links \u003curl|text\u003e. Requires GH_AW_SLACK_CHANNEL_ID environment variable to be set.","inputs":{"message":{"default":null,"description":"The message to post (max 200 characters, supports Slack markdown)","required":true,"type":"string"}},"output":"Message posted to Slack successfully!"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -644,7 +642,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -755,8 +753,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -767,7 +765,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -810,7 +808,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID -e BRAVE_API_KEY -e CONTEXT7_API_KEY -e DD_API_KEY -e DD_APPLICATION_KEY -e DD_SITE -e NOTION_API_TOKEN -e SENTRY_ACCESS_TOKEN -e SENTRY_HOST -e SENTRY_OPENAI_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1044,7 +1042,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1085,7 +1083,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1123,15 +1121,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,BRAVE_API_KEY,CONTEXT7_API_KEY,COPILOT_GITHUB_TOKEN,DD_API_KEY,DD_APPLICATION_KEY,DD_SITE,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN,SENTRY_ACCESS_TOKEN,SENTRY_OPENAI_API_KEY,TAVILY_API_KEY' @@ -1153,7 +1151,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1170,9 +1168,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1181,18 +1179,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1273,9 +1271,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1325,9 +1323,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1374,6 +1372,8 @@ jobs: concurrency: group: "gh-aw-conclusion-mcp-inspector" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1388,8 +1388,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1413,9 +1411,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1426,9 +1424,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1450,9 +1448,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1467,9 +1465,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); notion_add_comment: @@ -1485,11 +1483,11 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: agent - path: /opt/gh-aw/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${{ env.GH_AW_HOME }}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${{ env.GH_AW_HOME }}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Add comment to Notion page uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: @@ -1613,11 +1611,11 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: agent - path: /opt/gh-aw/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${{ env.GH_AW_HOME }}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${{ env.GH_AW_HOME }}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Post message to Slack uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: @@ -1754,6 +1752,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/mcp-inspector" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "mcp-inspector" GH_AW_WORKFLOW_NAME: "MCP Inspector Agent" outputs: @@ -1773,8 +1772,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1801,9 +1798,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1820,6 +1817,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: mcpinspector steps: - name: Checkout actions folder @@ -1831,8 +1829,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index e60b56378f..bed14d2f2e 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -70,8 +70,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,11 +91,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -118,9 +116,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -128,18 +126,18 @@ jobs: GH_AW_WORKFLOW_FILE: "mergefest.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -155,20 +153,20 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -201,7 +199,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -219,9 +217,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -240,10 +238,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -265,11 +263,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -292,10 +290,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: mergefest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -316,14 +312,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials run: "git config user.name \"github-actions[bot]\"\ngit config user.email \"github-actions[bot]@users.noreply.github.com\"\n\n# Create .gitignore to exclude workflow YAML files\ncat > /tmp/merge-gitignore << 'EOF'\n# Exclude all .yml files in .github/workflows/\n.github/workflows/*.yml\nEOF" @@ -349,14 +347,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -365,21 +363,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Push committed changes to a pull request's branch. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. Changes must be committed locally before calling this tool.", @@ -512,7 +510,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -617,8 +615,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -629,7 +627,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -658,7 +656,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -693,7 +691,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -769,7 +767,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -807,15 +805,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -825,7 +823,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -843,9 +841,9 @@ jobs: GH_AW_COMMAND: mergefest with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -854,18 +852,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -941,9 +939,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -993,9 +991,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1038,6 +1036,8 @@ jobs: concurrency: group: "gh-aw-conclusion-mergefest" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1052,8 +1052,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1077,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1090,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1114,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1131,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1156,8 +1154,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1166,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1177,9 +1173,9 @@ jobs: GH_AW_COMMANDS: "[\"mergefest\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1195,6 +1191,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/mergefest" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "mergefest" GH_AW_WORKFLOW_NAME: "Mergefest" outputs: @@ -1216,8 +1213,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1272,9 +1267,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index ba16742849..f8127c0411 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -61,8 +61,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +82,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "metrics-collector.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -123,15 +121,15 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -176,9 +174,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -257,6 +255,7 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: metricscollector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,8 +271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -309,7 +306,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -319,7 +320,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -342,14 +343,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -358,10 +359,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -376,12 +377,12 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 @@ -411,7 +412,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -451,7 +452,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -487,7 +488,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -525,15 +526,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -543,7 +544,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -551,18 +552,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -621,8 +622,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -631,9 +630,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -645,6 +644,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -659,8 +660,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -703,8 +702,8 @@ jobs: FILE_GLOB_FILTER: "metrics/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index b1d101df01..3f7a357daa 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "notion-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: missing_tool, missing_data, noop @@ -187,9 +185,9 @@ jobs: GH_AW_EXPR_FD3E9604: ${{ github.event.inputs.issue-number }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -256,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: notionissuesummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,14 +274,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -308,14 +306,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -324,21 +322,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/notion node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/notion node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -452,7 +450,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -537,8 +535,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -549,7 +547,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -579,7 +577,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e NOTION_API_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -627,7 +625,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -664,7 +662,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -702,15 +700,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN' @@ -721,7 +719,7 @@ jobs: SECRET_NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -738,9 +736,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -749,18 +747,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -806,6 +804,8 @@ jobs: concurrency: group: "gh-aw-conclusion-notion-issue-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -820,8 +820,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -845,9 +843,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -858,9 +856,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -880,9 +878,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -897,9 +895,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); notion_add_comment: @@ -915,11 +913,11 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: agent - path: /opt/gh-aw/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${{ env.GH_AW_HOME }}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${{ env.GH_AW_HOME }}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Add comment to Notion page uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: @@ -1038,6 +1036,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/notion-issue-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "notion-issue-summary" GH_AW_WORKFLOW_NAME: "Issue Summary to Notion" outputs: @@ -1057,8 +1056,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1085,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index a7d7a8d698..566a2e7a46 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -113,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "org-health-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,16 +128,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -197,9 +195,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -218,10 +216,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -243,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -274,10 +272,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: orghealthreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -298,14 +294,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -333,7 +331,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -363,27 +361,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"reports\".", @@ -539,7 +537,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -659,8 +657,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -671,7 +669,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -702,7 +700,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -737,7 +735,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -777,7 +775,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -815,15 +813,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -833,7 +831,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -850,9 +848,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -861,18 +859,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -962,9 +960,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1014,9 +1012,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1062,6 +1060,8 @@ jobs: concurrency: group: "gh-aw-conclusion-org-health-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1076,8 +1076,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1101,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1114,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1138,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1155,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1172,6 +1170,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/org-health-report" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "org-health-report" GH_AW_WORKFLOW_NAME: "Organization Health Report" outputs: @@ -1191,8 +1190,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1218,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1237,6 +1234,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: orghealthreport steps: - name: Checkout actions folder @@ -1248,8 +1246,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1293,8 +1289,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1349,8 +1343,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 76aa44184a..3dc783961e 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -93,8 +93,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -116,11 +114,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -141,9 +139,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -151,18 +149,18 @@ jobs: GH_AW_WORKFLOW_FILE: "pdf-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -182,16 +180,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_discussion, missing_tool, missing_data, noop @@ -226,7 +224,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -250,9 +248,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -278,10 +276,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -310,11 +308,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -338,10 +336,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: pdfsummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -362,17 +358,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -402,14 +400,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -418,21 +416,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/markitdown node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created.", @@ -600,7 +598,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -729,8 +727,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -741,7 +739,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -770,7 +768,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -812,7 +810,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -849,7 +847,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -887,15 +885,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -905,7 +903,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -923,9 +921,9 @@ jobs: GH_AW_COMMAND: summarize with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -934,18 +932,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1026,9 +1024,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1078,9 +1076,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1126,6 +1124,8 @@ jobs: concurrency: group: "gh-aw-conclusion-pdf-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1140,8 +1140,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1165,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1178,9 +1176,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1203,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1220,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1248,8 +1246,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1258,9 +1254,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1269,9 +1265,9 @@ jobs: GH_AW_COMMANDS: "[\"summarize\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1287,6 +1283,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pdf-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📄 *Summary compiled by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📖 Page by page! [{workflow_name}]({run_url}) is reading through this {event_type}...\",\"runSuccess\":\"📚 TL;DR ready! [{workflow_name}]({run_url}) has distilled the essence. Knowledge condensed! ✨\",\"runFailure\":\"📖 Reading interrupted! [{workflow_name}]({run_url}) {status}. The document remains unsummarized...\"}" GH_AW_WORKFLOW_ID: "pdf-summary" GH_AW_WORKFLOW_NAME: "Resource Summarizer Agent" @@ -1309,8 +1306,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1336,9 +1331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1355,6 +1350,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: pdfsummary steps: - name: Checkout actions folder @@ -1366,8 +1362,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 16182adddf..fd88583bcf 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -98,11 +96,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -123,9 +121,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -133,18 +131,18 @@ jobs: GH_AW_WORKFLOW_FILE: "plan.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -161,15 +159,15 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_discussion, missing_tool, missing_data, noop @@ -204,7 +202,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -223,9 +221,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -245,10 +243,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -271,11 +269,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -299,10 +297,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: plan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -323,14 +319,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -353,27 +351,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_discussion":{"max":1,"required_category":"Ideas"},"create_issue":{"expires":48,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[plan] \". Labels [\"plan\" \"ai-generated\" \"cookie\"] will be automatically added.", @@ -561,7 +559,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_discussion": { "defaultMax": 1, @@ -706,8 +704,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -718,7 +716,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -746,7 +744,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -780,7 +778,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -817,7 +815,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -855,15 +853,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -873,7 +871,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -891,9 +889,9 @@ jobs: GH_AW_COMMAND: plan with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -902,18 +900,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -988,9 +986,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1040,9 +1038,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1086,6 +1084,8 @@ jobs: concurrency: group: "gh-aw-conclusion-plan" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1100,8 +1100,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1125,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1138,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1160,9 +1158,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1177,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1203,8 +1201,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1213,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1224,9 +1220,9 @@ jobs: GH_AW_COMMANDS: "[\"plan\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1241,6 +1237,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/plan" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "plan" GH_AW_WORKFLOW_NAME: "Plan Command" outputs: @@ -1262,8 +1259,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1289,9 +1284,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 7591cd10b4..2c21a875c1 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -85,8 +85,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -108,11 +106,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -133,9 +131,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -143,18 +141,18 @@ jobs: GH_AW_WORKFLOW_FILE: "poem-bot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -172,22 +170,22 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, create_discussion, create_agent_session, create_pull_request, close_pull_request, create_pull_request_review_comment, add_labels, push_to_pull_request_branch, upload_asset, link_sub_issue, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -222,7 +220,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -244,9 +242,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -270,10 +268,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -300,11 +298,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -327,10 +325,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: poembot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -351,17 +347,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -391,14 +389,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -407,21 +405,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3,"target":"*"},"add_labels":{"allowed":["poetry","creative","automation","ai-generated","epic","haiku","sonnet","limerick"],"max":5},"create_agent_session":{"max":1},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":2},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[🎨 POETRY] "},"create_pull_request_review_comment":{"max":2},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1},"update_issue":{"max":2},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 2 issue(s) can be created. Title will be prefixed with \"[🎭 POEM-BOT] \". Labels [\"poetry\" \"automation\" \"ai-generated\"] will be automatically added.", @@ -995,7 +993,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1362,8 +1360,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1374,7 +1372,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1406,7 +1404,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1441,7 +1439,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1506,7 +1504,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1544,15 +1542,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1562,7 +1560,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1580,9 +1578,9 @@ jobs: GH_AW_COMMAND: poem-bot with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1591,18 +1589,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1694,9 +1692,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1746,9 +1744,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1795,6 +1793,8 @@ jobs: concurrency: group: "gh-aw-conclusion-poem-bot" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1809,8 +1809,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1834,9 +1832,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1849,9 +1847,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1876,9 +1874,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1893,9 +1891,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1907,9 +1905,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1932,8 +1930,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1942,9 +1938,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1953,9 +1949,9 @@ jobs: GH_AW_COMMANDS: "[\"poem-bot\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1974,6 +1970,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/poem-bot" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUTS_STAGED: "true" GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Verses penned by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎭 Hear ye! The muse stirs! [{workflow_name}]({run_url}) takes quill in hand for this {event_type}...\",\"runSuccess\":\"🪶 The poem is writ! [{workflow_name}]({run_url}) has composed verses most fair. Applause! 👏\",\"runFailure\":\"🎭 Alas! [{workflow_name}]({run_url}) {status}. The muse has fled, leaving verses unsung...\"}" GH_AW_WORKFLOW_ID: "poem-bot" @@ -2005,8 +2002,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2062,9 +2057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -2076,7 +2071,7 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); @@ -2087,6 +2082,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: poembot steps: - name: Checkout actions folder @@ -2098,8 +2094,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -2143,8 +2137,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2202,8 +2194,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 23b9ef2b01..70c4e97a48 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "portfolio-analyst.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -127,16 +125,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -195,9 +193,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -216,10 +214,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -241,11 +239,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -271,10 +269,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: portfolioanalyst outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -295,8 +291,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -332,7 +326,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -366,7 +364,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -396,14 +394,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -412,10 +410,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -430,27 +428,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[portfolio] \". Discussions will be created in category \"audits\".", @@ -606,7 +604,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -726,8 +724,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -738,7 +736,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -771,7 +769,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -818,7 +816,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -858,7 +856,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -896,15 +894,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -914,7 +912,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -931,9 +929,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -942,18 +940,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1043,9 +1041,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1095,9 +1093,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1143,6 +1141,8 @@ jobs: concurrency: group: "gh-aw-conclusion-portfolio-analyst" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1157,8 +1157,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1183,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1197,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1222,9 +1220,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1240,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1257,6 +1255,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/portfolio-analyst" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "portfolio-analyst-weekly" GH_AW_WORKFLOW_ID: "portfolio-analyst" GH_AW_WORKFLOW_NAME: "Automated Portfolio Analyst" @@ -1277,8 +1276,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1304,9 +1301,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1323,6 +1320,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: portfolioanalyst steps: - name: Checkout actions folder @@ -1334,8 +1332,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1379,8 +1375,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1436,8 +1430,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 7955f2c268..f905675b06 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -103,8 +103,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -126,11 +124,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -151,9 +149,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -161,18 +159,18 @@ jobs: GH_AW_WORKFLOW_FILE: "pr-nitpick-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -189,16 +187,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -233,7 +231,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -255,9 +253,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -280,10 +278,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -309,11 +307,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -336,10 +334,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: prnitpickreviewer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -360,17 +356,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -400,14 +398,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -416,21 +414,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_pull_request_review_comment":{"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nitpick-report] \". Discussions will be created in category \"audits\".", @@ -645,7 +643,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -808,8 +806,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -820,7 +818,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -849,7 +847,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -884,7 +882,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -921,7 +919,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -959,15 +957,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -977,7 +975,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -995,9 +993,9 @@ jobs: GH_AW_COMMAND: nit with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1006,18 +1004,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1098,9 +1096,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1150,9 +1148,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1198,6 +1196,8 @@ jobs: concurrency: group: "gh-aw-conclusion-pr-nitpick-reviewer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1212,8 +1212,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1237,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1250,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1275,9 +1273,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1292,9 +1290,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1324,8 +1322,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1334,9 +1330,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1345,9 +1341,9 @@ jobs: GH_AW_COMMANDS: "[\"nit\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1363,6 +1359,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pr-nitpick-reviewer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}...\",\"runSuccess\":\"🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅\",\"runFailure\":\"🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected...\"}" GH_AW_WORKFLOW_ID: "pr-nitpick-reviewer" GH_AW_WORKFLOW_NAME: "PR Nitpick Reviewer 🔍" @@ -1383,8 +1380,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1410,9 +1405,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1429,6 +1424,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: prnitpickreviewer steps: - name: Checkout actions folder @@ -1440,8 +1436,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 31fca39ab8..b65b721b7b 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -58,8 +58,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -84,11 +82,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -106,9 +104,9 @@ jobs: GH_AW_WORKFLOW_FILE: "pr-triage-agent.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +122,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -182,9 +180,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -263,10 +261,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: prtriageagent outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,14 +283,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -304,7 +302,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -327,27 +325,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":50},"add_labels":{"max":100},"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[PR Triage Report] \".", @@ -574,7 +572,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -729,8 +727,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -741,7 +739,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -769,7 +767,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -804,7 +802,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -841,7 +839,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -879,15 +877,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -897,7 +895,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -914,9 +912,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -925,18 +923,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1020,9 +1018,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1072,9 +1070,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1120,6 +1118,8 @@ jobs: concurrency: group: "gh-aw-conclusion-pr-triage-agent" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1134,8 +1134,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1159,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1172,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1199,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1216,9 +1214,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1230,6 +1228,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1244,8 +1244,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1288,9 +1286,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1306,6 +1304,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pr-triage-agent" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🔍 Starting PR triage analysis... [{workflow_name}]({run_url}) is categorizing and prioritizing agent-created PRs\",\"runSuccess\":\"✅ PR triage complete! [{workflow_name}]({run_url}) has analyzed and categorized PRs. Check the issue for detailed report.\",\"runFailure\":\"❌ PR triage failed! [{workflow_name}]({run_url}) {status}. Some PRs may not be triaged.\"}" GH_AW_WORKFLOW_ID: "pr-triage-agent" GH_AW_WORKFLOW_NAME: "PR Triage Agent" @@ -1330,8 +1329,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1357,9 +1354,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 9ae2ae01eb..be999f542f 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -91,11 +89,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -113,9 +111,9 @@ jobs: GH_AW_WORKFLOW_FILE: "prompt-clustering-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,16 +128,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -199,9 +197,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -220,10 +218,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -245,11 +243,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -275,10 +273,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: promptclusteringanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -298,8 +294,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -335,7 +329,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -388,7 +386,7 @@ jobs: restore-keys: prompt-clustering-cache- # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -418,9 +416,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -428,7 +426,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -439,10 +437,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -457,27 +455,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-clustering] \". Discussions will be created in category \"audits\".", @@ -608,7 +606,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -719,8 +717,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -731,7 +729,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -760,7 +758,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -805,7 +803,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -929,15 +927,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -947,7 +945,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -964,9 +962,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -975,18 +973,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1065,9 +1063,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1128,9 +1126,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1175,6 +1173,8 @@ jobs: concurrency: group: "gh-aw-conclusion-prompt-clustering-analysis" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1189,8 +1189,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1214,9 +1212,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1227,9 +1225,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1250,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1267,9 +1265,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1284,6 +1282,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/prompt-clustering-analysis" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "prompt-clustering-analysis" GH_AW_WORKFLOW_NAME: "Copilot Agent Prompt Clustering Analysis" outputs: @@ -1303,8 +1302,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1330,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1349,6 +1346,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: promptclusteringanalysis steps: - name: Checkout actions folder @@ -1360,8 +1358,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 96579f91f6..6491238bbb 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "python-data-charts.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,16 +122,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -193,9 +191,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -214,10 +212,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -239,11 +237,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -267,10 +265,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: pythondatacharts outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,8 +287,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -328,7 +322,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -354,7 +352,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -384,14 +382,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -400,10 +398,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -418,27 +416,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\".", @@ -594,7 +592,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -714,8 +712,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -726,7 +724,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -759,7 +757,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -806,7 +804,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -846,7 +844,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -884,15 +882,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -902,7 +900,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -919,9 +917,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -930,18 +928,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1031,9 +1029,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1083,9 +1081,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1131,6 +1129,8 @@ jobs: concurrency: group: "gh-aw-conclusion-python-data-charts" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1145,8 +1145,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1170,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1183,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1207,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1224,9 +1222,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1241,6 +1239,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/python-data-charts" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "python-data-charts" GH_AW_WORKFLOW_NAME: "Python Data Visualization Generator" outputs: @@ -1260,8 +1259,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1287,9 +1284,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1306,6 +1303,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: pythondatacharts steps: - name: Checkout actions folder @@ -1317,8 +1315,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1362,8 +1358,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1418,8 +1412,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index d4c5f49a0c..e110bc7fe0 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -111,8 +111,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -134,11 +132,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -159,9 +157,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -169,18 +167,18 @@ jobs: GH_AW_WORKFLOW_FILE: "q.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -198,21 +196,21 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -245,7 +243,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -270,9 +268,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -296,10 +294,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -326,11 +324,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -355,10 +353,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: q outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -379,8 +375,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -416,10 +410,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -449,14 +447,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -465,10 +463,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -483,27 +481,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[q] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -686,7 +684,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -825,8 +823,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -837,7 +835,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -867,7 +865,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -922,7 +920,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -959,7 +957,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -997,15 +995,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1015,7 +1013,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1033,9 +1031,9 @@ jobs: GH_AW_COMMAND: q with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1044,18 +1042,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1137,9 +1135,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1189,9 +1187,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1237,6 +1235,8 @@ jobs: concurrency: group: "gh-aw-conclusion-q" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1251,8 +1251,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1276,9 +1274,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1289,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1314,9 +1312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1331,9 +1329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1345,9 +1343,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1383,8 +1381,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1393,9 +1389,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1404,9 +1400,9 @@ jobs: GH_AW_COMMANDS: "[\"q\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1424,6 +1420,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/q" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎩 *Equipped by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Pay attention, 007! [{workflow_name}]({run_url}) is preparing your gadgets for this {event_type}...\",\"runSuccess\":\"🎩 Mission equipment ready! [{workflow_name}]({run_url}) has optimized your workflow. Use wisely, 007! 🔫\",\"runFailure\":\"🔧 Technical difficulties! [{workflow_name}]({run_url}) {status}. Even Q Branch has bad days...\"}" GH_AW_WORKFLOW_ID: "q" GH_AW_WORKFLOW_NAME: "Q" @@ -1448,8 +1445,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1504,9 +1499,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1523,6 +1518,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: q steps: - name: Checkout actions folder @@ -1534,8 +1530,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 3d2b6725f0..dd8172555b 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -100,11 +98,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,18 +120,18 @@ jobs: GH_AW_WORKFLOW_FILE: "refiner.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -149,20 +147,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -211,9 +209,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -231,10 +229,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -255,11 +253,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -282,10 +280,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: refiner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,14 +302,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,27 +334,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"max":1,"reviewers":["copilot"],"title_prefix":"[refiner] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -539,7 +537,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -678,8 +676,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -690,7 +688,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -718,7 +716,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -753,7 +751,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -790,7 +788,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -828,15 +826,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -846,7 +844,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -863,9 +861,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -874,18 +872,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -961,9 +959,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1013,9 +1011,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1060,6 +1058,8 @@ jobs: concurrency: group: "gh-aw-conclusion-refiner" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1074,8 +1074,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1099,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1112,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1137,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1154,9 +1152,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1168,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1193,8 +1191,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1203,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1223,6 +1219,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/refiner" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🔍 Starting code refinement... [{workflow_name}]({run_url}) is analyzing PR #${{ github.event.pull_request.number }} for style alignment and security issues\",\"runSuccess\":\"✅ Refinement complete! [{workflow_name}]({run_url}) has created a PR with improvements for PR #${{ github.event.pull_request.number }}\",\"runFailure\":\"❌ Refinement failed! [{workflow_name}]({run_url}) {status} while processing PR #${{ github.event.pull_request.number }}\"}" GH_AW_WORKFLOW_ID: "refiner" GH_AW_WORKFLOW_NAME: "Code Refiner" @@ -1247,8 +1244,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1303,9 +1298,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index abb281b0b0..627a1a7292 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,11 +92,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -116,9 +114,9 @@ jobs: GH_AW_WORKFLOW_FILE: "release.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -133,15 +131,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_release, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +206,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -231,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -262,10 +260,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: release outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,14 +282,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_ID: ${{ needs.release.outputs.release_id }} @@ -323,14 +321,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -339,21 +337,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_release":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Update a GitHub release description by replacing, appending to, or prepending to the existing content. Use this to add release notes, changelogs, or additional information to an existing release. CONSTRAINTS: Maximum 1 release(s) can be updated.", @@ -490,7 +488,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -600,8 +598,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -612,7 +610,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -641,7 +639,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -676,7 +674,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -713,7 +711,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -751,15 +749,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -769,7 +767,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -786,9 +784,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -797,18 +795,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -883,9 +881,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -935,9 +933,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -979,6 +977,8 @@ jobs: concurrency: group: "gh-aw-conclusion-release" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -993,8 +993,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1018,9 +1016,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1031,9 +1029,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1053,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1070,9 +1068,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); config: @@ -1200,8 +1198,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1210,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_tag: @@ -1430,6 +1426,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/release" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "release" GH_AW_WORKFLOW_NAME: "Release" outputs: @@ -1449,8 +1446,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1476,9 +1471,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 7b7e3e4f72..87303f7aad 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -111,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repo-audit-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,16 +127,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_REPOSITORY: ${{ inputs.repository }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_INPUTS_REPOSITORY: ${{ inputs.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +209,10 @@ jobs: GH_AW_INPUTS_REPOSITORY: ${{ inputs.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -237,11 +235,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -265,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repoauditanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,14 +285,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (repo-audits) run: | @@ -330,14 +328,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -346,21 +344,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"create_missing_tool_issue":{"labels":["cookie"],"max":1,"title_prefix":"[missing tool]"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -491,7 +489,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -602,8 +600,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -614,7 +612,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -643,7 +641,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -678,7 +676,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -715,7 +713,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -753,15 +751,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -771,7 +769,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -788,9 +786,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -799,18 +797,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -891,9 +889,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -943,9 +941,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -990,6 +988,8 @@ jobs: concurrency: group: "gh-aw-conclusion-repo-audit-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1004,8 +1004,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1029,9 +1027,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1045,9 +1043,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1069,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1086,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1103,6 +1101,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repo-audit-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "repo-audit-analyzer" GH_AW_WORKFLOW_NAME: "Repository Audit & Agentic Workflow Opportunity Analyzer" outputs: @@ -1122,8 +1121,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1149,9 +1146,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1168,6 +1165,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: repoauditanalyzer steps: - name: Checkout actions folder @@ -1179,8 +1177,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (repo-audits) id: download_cache_repo_audits uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 7ab2e1d7f3..bb6e3f80bd 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repo-tree-map.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -183,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -252,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repotreemap outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,14 +272,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -306,14 +304,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -322,21 +320,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\".", @@ -467,7 +465,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -578,8 +576,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -590,7 +588,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -619,7 +617,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -654,7 +652,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -691,7 +689,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -729,15 +727,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -747,7 +745,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -764,9 +762,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -775,18 +773,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -861,9 +859,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -913,9 +911,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -959,6 +957,8 @@ jobs: concurrency: group: "gh-aw-conclusion-repo-tree-map" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -973,8 +973,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -998,9 +996,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1011,9 +1009,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1035,9 +1033,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1052,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1069,6 +1067,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repo-tree-map" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "repo-tree-map" GH_AW_WORKFLOW_NAME: "Repository Tree Map Generator" outputs: @@ -1088,8 +1087,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1115,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 22725444fc..af0cf0cfd8 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "repository-quality-improver.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +207,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -234,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -264,10 +262,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repositoryqualityimprover outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,14 +284,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (focus-areas) run: | @@ -329,14 +327,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -345,21 +343,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -490,7 +488,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -601,8 +599,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -613,7 +611,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -642,7 +640,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -685,7 +683,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -722,7 +720,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -760,15 +758,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -778,7 +776,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -795,9 +793,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -806,18 +804,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -898,9 +896,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -950,9 +948,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -997,6 +995,8 @@ jobs: concurrency: group: "gh-aw-conclusion-repository-quality-improver" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1011,8 +1011,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1036,9 +1034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1049,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1073,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1090,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1107,6 +1105,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repository-quality-improver" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "repository-quality-improver" GH_AW_WORKFLOW_NAME: "Repository Quality Improvement Agent" outputs: @@ -1126,8 +1125,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1172,6 +1169,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: repositoryqualityimprover steps: - name: Checkout actions folder @@ -1183,8 +1181,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (focus-areas) id: download_cache_focus_areas uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index e185454f0d..cdde26c2bd 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -111,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "research.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,15 +127,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -193,9 +191,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +210,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +233,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -262,10 +260,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: research outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,14 +282,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -316,14 +314,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -332,21 +330,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"research\".", @@ -477,7 +475,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -588,8 +586,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -600,7 +598,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -630,7 +628,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -678,7 +676,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -716,7 +714,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -754,15 +752,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -773,7 +771,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -790,9 +788,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -801,18 +799,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -887,9 +885,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -939,9 +937,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -985,6 +983,8 @@ jobs: concurrency: group: "gh-aw-conclusion-research" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -999,8 +999,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1024,9 +1022,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1037,9 +1035,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1061,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1078,9 +1076,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1095,6 +1093,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/research" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "research" GH_AW_WORKFLOW_NAME: "Basic Research Agent" outputs: @@ -1114,8 +1113,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1141,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 6dcfcf6b9a..f5eb0bd4c2 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "safe-output-health.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +124,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -235,11 +233,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -265,10 +263,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: safeoutputhealth outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,8 +284,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -325,7 +319,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -335,7 +333,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -365,9 +363,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -375,7 +373,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -386,10 +384,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -404,27 +402,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -555,7 +553,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -666,8 +664,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -678,7 +676,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -707,7 +705,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -752,7 +750,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -891,15 +889,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -909,7 +907,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -926,9 +924,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -937,18 +935,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1027,9 +1025,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1090,9 +1088,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1137,6 +1135,8 @@ jobs: concurrency: group: "gh-aw-conclusion-safe-output-health" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1151,8 +1151,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1176,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1189,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1212,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1229,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1246,6 +1244,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/safe-output-health" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "safe-output-health" GH_AW_WORKFLOW_NAME: "Safe Output Health Monitor" outputs: @@ -1265,8 +1264,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1292,9 +1289,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1311,6 +1308,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: safeoutputhealth steps: - name: Checkout actions folder @@ -1322,8 +1320,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 030fd7b451..680e1dd6f6 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "schema-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -184,9 +182,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -205,10 +203,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -230,11 +228,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -260,10 +258,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: schemaconsistencychecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,17 +279,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -323,9 +321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -333,7 +331,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -344,21 +342,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Schema Consistency] \". Discussions will be created in category \"audits\".", @@ -489,7 +487,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -600,8 +598,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -612,7 +610,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -640,7 +638,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -675,7 +673,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -799,15 +797,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -817,7 +815,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -834,9 +832,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -845,18 +843,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -935,9 +933,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -998,9 +996,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,6 +1043,8 @@ jobs: concurrency: group: "gh-aw-conclusion-schema-consistency-checker" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1059,8 +1059,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1084,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1097,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1120,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1137,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1154,6 +1152,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/schema-consistency-checker" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "schema-consistency-checker" GH_AW_WORKFLOW_NAME: "Schema Consistency Checker" outputs: @@ -1173,8 +1172,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1200,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1219,6 +1216,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: schemaconsistencychecker steps: - name: Checkout actions folder @@ -1230,8 +1228,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 8bd359870c..2cbc28c438 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -130,8 +130,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -153,11 +151,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -178,9 +176,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -188,18 +186,18 @@ jobs: GH_AW_WORKFLOW_FILE: "scout.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -219,16 +217,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, add_labels, missing_tool, missing_data, noop @@ -263,7 +261,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -305,9 +303,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -333,10 +331,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -365,11 +363,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -392,10 +390,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: scout outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -415,20 +411,22 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -458,9 +456,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -468,22 +466,22 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"add_labels":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -646,7 +644,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -768,8 +766,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -780,7 +778,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -808,7 +806,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "arxiv": { @@ -883,7 +881,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1030,15 +1028,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -1049,7 +1047,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1067,9 +1065,9 @@ jobs: GH_AW_COMMAND: scout with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1078,18 +1076,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1168,9 +1166,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1231,9 +1229,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1279,6 +1277,8 @@ jobs: concurrency: group: "gh-aw-conclusion-scout" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1293,8 +1293,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1318,9 +1316,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1331,9 +1329,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1353,9 +1351,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1370,9 +1368,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1407,8 +1405,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1417,9 +1413,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1428,9 +1424,9 @@ jobs: GH_AW_COMMANDS: "[\"scout\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1446,6 +1442,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/scout" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔭 *Intelligence gathered by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏕️ Scout on patrol! [{workflow_name}]({run_url}) is blazing trails through this {event_type}...\",\"runSuccess\":\"🔭 Recon complete! [{workflow_name}]({run_url}) has charted the territory. Map ready! 🗺️\",\"runFailure\":\"🏕️ Lost in the wilderness! [{workflow_name}]({run_url}) {status}. Sending search party...\"}" GH_AW_WORKFLOW_ID: "scout" GH_AW_WORKFLOW_NAME: "Scout" @@ -1468,8 +1465,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1495,9 +1490,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1514,6 +1509,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: scout steps: - name: Checkout actions folder @@ -1525,8 +1521,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 01813cd7a6..18bce3611d 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "security-alert-burndown.campaign.g.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt_multi.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt_multi.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_project, create_project_status_update, missing_tool, missing_data, noop @@ -181,9 +179,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_MEMORY_LIST: "- **campaigns**: `/tmp/gh-aw/repo-memory/campaigns/` (branch: `memory/campaigns`)\n" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -225,11 +223,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -252,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securityalertburndown.campaign.g outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,14 +271,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Create workspace directory run: mkdir -p ./.gh-aw - env: @@ -310,7 +308,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -333,9 +331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -343,7 +341,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -354,21 +352,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":3},"create_issue":{"max":1},"create_project_status_update":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/campaigns","id":"campaigns","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]},"update_project":{"max":10}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -762,7 +760,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -980,8 +978,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -992,7 +990,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1020,7 +1018,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1054,7 +1052,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1174,15 +1172,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1192,7 +1190,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1209,9 +1207,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1220,18 +1218,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1313,9 +1311,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1376,9 +1374,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1424,6 +1422,8 @@ jobs: concurrency: group: "gh-aw-conclusion-security-alert-burndown.campaign.g" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1438,8 +1438,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1463,9 +1461,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1476,9 +1474,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1501,9 +1499,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1518,9 +1516,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1532,6 +1530,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.patch_size_exceeded }} validation_error_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_error }} @@ -1546,8 +1546,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1590,9 +1588,9 @@ jobs: FILE_GLOB_FILTER: "security-alert-burndown/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1608,6 +1606,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-alert-burndown.campaign.g" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "security-alert-burndown.campaign.g" GH_AW_WORKFLOW_NAME: "Security Alert Burndown" outputs: @@ -1632,7 +1631,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1661,9 +1659,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 0fee83b74e..4c2208ba1f 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -71,8 +71,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,11 +92,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -116,18 +114,18 @@ jobs: GH_AW_WORKFLOW_FILE: "security-compliance.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -146,16 +144,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -206,9 +204,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -233,10 +231,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -264,11 +262,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -290,10 +288,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securitycompliance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -314,14 +310,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -331,7 +329,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -354,14 +352,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -370,21 +368,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"group":true,"max":100},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 100 issue(s) can be created. Labels [\"security\" \"campaign-tracker\" \"cookie\"] will be automatically added.", @@ -545,7 +543,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -663,8 +661,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -675,7 +673,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -704,7 +702,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -739,7 +737,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -776,7 +774,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -814,15 +812,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -832,7 +830,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -849,9 +847,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -860,18 +858,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -955,9 +953,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1007,9 +1005,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1053,6 +1051,8 @@ jobs: concurrency: group: "gh-aw-conclusion-security-compliance" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1067,8 +1067,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1092,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1105,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1131,9 +1129,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1148,9 +1146,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); push_repo_memory: @@ -1162,6 +1160,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1176,8 +1176,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1220,9 +1218,9 @@ jobs: FILE_GLOB_FILTER: "memory/campaigns/security-compliance-*/**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1236,6 +1234,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-compliance" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "security-compliance" GH_AW_WORKFLOW_NAME: "Security Compliance Campaign" outputs: @@ -1257,8 +1256,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1281,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 7a7c48281f..acf48aa431 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -98,11 +96,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -123,9 +121,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -133,18 +131,18 @@ jobs: GH_AW_WORKFLOW_FILE: "security-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -161,16 +159,16 @@ jobs: GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request_review_comment, submit_pull_request_review, missing_tool, missing_data, noop @@ -205,7 +203,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -223,9 +221,9 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -248,10 +246,10 @@ jobs: GH_AW_STEPS_SANITIZED_OUTPUTS_TEXT: ${{ steps.sanitized.outputs.text }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -277,11 +275,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -307,10 +305,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securityreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -331,8 +327,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -368,10 +362,14 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -401,14 +399,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -417,10 +415,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -435,27 +433,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request_review_comment":{"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a review comment on a specific line of code in a pull request. Use this for inline code review feedback, suggestions, or questions about specific code changes. For general PR comments not tied to specific lines, use add_comment instead. CONSTRAINTS: Maximum 10 review comment(s) can be created. Comments will be on the RIGHT side of the diff.", @@ -636,7 +634,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request_review_comment": { "defaultMax": 1, @@ -773,8 +771,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -785,7 +783,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -815,7 +813,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -862,7 +860,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -899,7 +897,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -937,15 +935,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -955,7 +953,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -973,9 +971,9 @@ jobs: GH_AW_COMMAND: security-review with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -984,18 +982,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1076,9 +1074,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1128,9 +1126,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1174,6 +1172,8 @@ jobs: concurrency: group: "gh-aw-conclusion-security-review" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1188,8 +1188,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1213,9 +1211,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1226,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1249,9 +1247,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1266,9 +1264,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1292,8 +1290,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1302,9 +1298,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1313,9 +1309,9 @@ jobs: GH_AW_COMMANDS: "[\"security-review\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1329,6 +1325,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-review" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔒 *Security review by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) is analyzing this {event_type} for security implications...\",\"runSuccess\":\"🔒 [{workflow_name}]({run_url}) completed the security review.\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status} during security review.\"}" GH_AW_WORKFLOW_ID: "security-review" GH_AW_WORKFLOW_NAME: "Security Review Agent 🔒" @@ -1349,8 +1346,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1376,9 +1371,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1395,6 +1390,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: securityreview steps: - name: Checkout actions folder @@ -1406,8 +1402,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 0a0c45e684..759e56824a 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "semantic-function-refactor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, close_issue, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -258,10 +256,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: semanticfunctionrefactor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,14 +277,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -311,9 +309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -321,7 +319,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -332,21 +330,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"close_issue":{"max":10,"required_title_prefix":"[refactor] ","target":"*"},"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[refactor] \". Labels [\"refactoring\" \"code-quality\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -524,7 +522,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "close_issue": { "defaultMax": 1, @@ -660,8 +658,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -672,7 +670,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -700,7 +698,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -750,7 +748,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -889,15 +887,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -907,7 +905,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -924,9 +922,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -935,18 +933,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1019,9 +1017,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1082,9 +1080,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1127,6 +1125,8 @@ jobs: concurrency: group: "gh-aw-conclusion-semantic-function-refactor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1141,8 +1141,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1166,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1179,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1200,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1217,9 +1215,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1233,6 +1231,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/semantic-function-refactor" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "semantic-function-refactor" GH_AW_WORKFLOW_NAME: "Semantic Function Refactoring" outputs: @@ -1254,8 +1253,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1281,9 +1278,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index bf4ded43ee..433ee4cf0d 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "sergo.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,16 +124,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -190,9 +188,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -211,10 +209,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -266,10 +264,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: sergo outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,17 +285,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -329,9 +327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -339,7 +337,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -350,21 +348,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[sergo] \". Discussions will be created in category \"audits\".", @@ -495,7 +493,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -606,8 +604,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -618,7 +616,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -646,7 +644,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -696,7 +694,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -837,15 +835,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -855,7 +853,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -872,9 +870,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -883,18 +881,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -973,9 +971,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1036,9 +1034,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1083,6 +1081,8 @@ jobs: concurrency: group: "gh-aw-conclusion-sergo" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1097,8 +1097,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1123,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1137,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1161,9 +1159,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1179,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1196,6 +1194,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/sergo" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "sergo-daily" GH_AW_WORKFLOW_ID: "sergo" GH_AW_WORKFLOW_NAME: "Sergo - Serena Go Expert" @@ -1216,8 +1215,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1243,9 +1240,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1262,6 +1259,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: sergo steps: - name: Checkout actions folder @@ -1273,8 +1271,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 5323d3dae7..1a180353e0 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -70,8 +70,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -93,11 +91,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -115,9 +113,9 @@ jobs: GH_AW_WORKFLOW_FILE: "slide-deck-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,22 +132,22 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_FOCUS: ${{ inputs.focus }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -202,9 +200,9 @@ jobs: GH_AW_INPUTS_FOCUS: ${{ inputs.focus }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -226,10 +224,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -254,11 +252,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: slidedeckmaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -307,14 +303,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -328,7 +326,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -358,14 +356,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -374,21 +372,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":24,"max":1,"title_prefix":"[slides] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[slides] \".", @@ -534,7 +532,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -655,8 +653,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -667,7 +665,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -697,7 +695,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -739,7 +737,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -816,7 +814,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -854,15 +852,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -872,7 +870,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -889,9 +887,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -900,18 +898,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -993,9 +991,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1045,9 +1043,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1092,6 +1090,8 @@ jobs: concurrency: group: "gh-aw-conclusion-slide-deck-maintainer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1106,8 +1106,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1132,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1146,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1171,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1189,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1204,9 +1202,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1226,8 +1224,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1236,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1249,9 +1245,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1268,6 +1264,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/slide-deck-maintainer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "slide-deck-maintainer" GH_AW_WORKFLOW_ID: "slide-deck-maintainer" GH_AW_WORKFLOW_NAME: "Slide Deck Maintainer" @@ -1290,8 +1287,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1346,9 +1341,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1365,6 +1360,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: slidedeckmaintainer steps: - name: Checkout actions folder @@ -1376,8 +1372,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index a35f30a120..ea0ce72d75 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -119,18 +117,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-all-merged.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -141,9 +139,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,15 +156,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -214,9 +212,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -233,10 +231,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentallmerged outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,14 +302,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -348,7 +346,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -357,21 +355,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -505,7 +503,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -608,8 +606,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -620,7 +618,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -678,7 +676,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -725,7 +723,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -770,15 +768,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -789,7 +787,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -806,9 +804,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -817,18 +815,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -903,9 +901,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -942,9 +940,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -989,6 +987,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-agent-all-merged" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,8 +1003,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1028,9 +1026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1041,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1063,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1080,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1099,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1124,8 +1122,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1134,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1152,6 +1148,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-all-merged" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-all-merged" GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" @@ -1174,8 +1171,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1201,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 8c29c55253..3a777c8043 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -119,18 +117,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-all-none.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -141,9 +139,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,15 +156,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -214,9 +212,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -233,10 +231,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentallnone outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,14 +302,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -348,7 +346,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -357,21 +355,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -505,7 +503,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -608,8 +606,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -620,7 +618,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -678,7 +676,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -725,7 +723,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -770,15 +768,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -789,7 +787,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -806,9 +804,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -817,18 +815,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -903,9 +901,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -942,9 +940,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -989,6 +987,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-agent-all-none" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,8 +1003,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1028,9 +1026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1041,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1063,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1080,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1099,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1124,8 +1122,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1134,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1152,6 +1148,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-all-none" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-all-none" GH_AW_WORKFLOW_NAME: "Smoke Agent: all/none" @@ -1174,8 +1171,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1201,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 05f037e6b0..461a17e264 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -119,18 +117,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-public-approved.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -141,9 +139,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🤖 [{workflow_name}]({run_url}) is looking for a Smoke issue to assign...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed. Issue assigned to the agentic-workflows agent.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,15 +156,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, assign_to_agent, missing_tool, missing_data, noop @@ -214,9 +212,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -233,10 +231,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentpublicapproved outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,14 +302,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -348,7 +346,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -357,21 +355,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"assign_to_agent":{"allowed":["copilot"],"max":1,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -545,7 +543,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -673,8 +671,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -685,7 +683,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -743,7 +741,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -790,7 +788,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -835,15 +833,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -854,7 +852,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -871,9 +869,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -882,18 +880,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -968,9 +966,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1007,9 +1005,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1054,6 +1052,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-agent-public-approved" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1068,8 +1068,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1093,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1106,9 +1104,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1130,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1147,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1166,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1191,8 +1189,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1201,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1219,6 +1215,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-public-approved" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🤖 [{workflow_name}]({run_url}) is looking for a Smoke issue to assign...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed. Issue assigned to the agentic-workflows agent.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-public-approved" GH_AW_WORKFLOW_NAME: "Smoke Agent: public/approved" @@ -1244,8 +1241,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1271,9 +1266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1288,9 +1283,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require('${GH_AW_HOME}/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 4a8f18c6a3..bba60ed7a3 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -119,18 +117,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-public-none.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -141,9 +139,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=public, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,15 +156,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -214,9 +212,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -233,10 +231,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentpublicnone outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,14 +302,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -348,7 +346,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -357,21 +355,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -505,7 +503,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -608,8 +606,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -620,7 +618,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -678,7 +676,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -725,7 +723,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -770,15 +768,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -789,7 +787,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -806,9 +804,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -817,18 +815,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -903,9 +901,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -942,9 +940,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -989,6 +987,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-agent-public-none" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,8 +1003,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1028,9 +1026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1041,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1063,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1080,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1099,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1124,8 +1122,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1134,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1152,6 +1148,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-public-none" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=public, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-public-none" GH_AW_WORKFLOW_NAME: "Smoke Agent: public/none" @@ -1174,8 +1171,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1201,9 +1196,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 0761147427..07e7e5d1ab 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -119,18 +117,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-agent-scoped-approved.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -141,9 +139,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=[github/gh-aw, github/*], min-integrity=approved`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -158,15 +156,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -214,9 +212,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -233,10 +231,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentscopedapproved outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,14 +302,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -336,9 +334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -348,7 +346,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -357,21 +355,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -505,7 +503,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -608,8 +606,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -620,7 +618,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -678,7 +676,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -729,7 +727,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -774,15 +772,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -793,7 +791,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -810,9 +808,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -821,18 +819,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -907,9 +905,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -946,9 +944,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -993,6 +991,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-agent-scoped-approved" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1007,8 +1007,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1032,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1045,9 +1043,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1067,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1084,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1103,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1128,8 +1126,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1138,9 +1134,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1156,6 +1152,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-scoped-approved" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=[github/gh-aw, github/*], min-integrity=approved`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-scoped-approved" GH_AW_WORKFLOW_NAME: "Smoke Agent: scoped/approved" @@ -1178,8 +1175,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1205,9 +1200,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 1ba523b15f..0c1bdd7e78 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -69,8 +69,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -92,11 +90,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -115,18 +113,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-call-workflow.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -141,20 +139,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_auto_create_issue.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_auto_create_issue.md" cat << 'GH_AW_PROMPT_EOF' @@ -199,9 +197,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -218,10 +216,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -241,11 +239,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -267,10 +265,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecallworkflow outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -290,14 +286,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -320,9 +318,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -332,7 +330,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -341,21 +339,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"call_workflow":{"max":1,"workflow_files":{"smoke-workflow-call":"./.github/workflows/smoke-workflow-call.lock.yml"},"workflows":["smoke-workflow-call"]},"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[smoke-call-workflow]\". Labels [\"smoke-call-workflow\"] will be automatically added.", @@ -511,7 +509,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -629,8 +627,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -641,7 +639,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -694,7 +692,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -728,7 +726,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -773,15 +771,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -792,7 +790,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -809,9 +807,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -820,18 +818,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -906,9 +904,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -945,9 +943,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -999,6 +997,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-call-workflow" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1013,8 +1013,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1038,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1051,9 +1049,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1072,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1089,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1114,8 +1112,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1124,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1141,6 +1137,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-call-workflow" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "smoke-call-workflow" GH_AW_WORKFLOW_NAME: "Smoke Call Workflow" outputs: @@ -1164,8 +1161,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1191,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index b8f5771639..05dd02ee47 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -87,8 +87,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -110,11 +108,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -135,9 +133,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -145,18 +143,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-claude.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -167,9 +165,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -185,22 +183,22 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, close_pull_request, update_pull_request, create_pull_request_review_comment, submit_pull_request_review, resolve_pull_request_review_thread, add_labels, add_reviewer, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -582,9 +580,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -605,10 +603,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -632,11 +630,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Install and pack APM dependencies id: apm_pack uses: microsoft/apm-action@5eac264e08ed8db603fe2c40983794f94cab49d8 # v1.3.1 @@ -679,10 +677,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeclaude outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -702,8 +698,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -746,10 +740,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -779,9 +777,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -789,7 +787,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Download APM bundle artifact @@ -809,10 +807,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -827,27 +825,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-claude"],"max":3},"add_reviewer":{"max":2},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1,"target":"*"},"resolve_pull_request_review_thread":{"max":5},"submit_pull_request_review":{"max":1},"update_pull_request":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -1317,7 +1315,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1606,8 +1604,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1618,16 +1616,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1776,7 +1774,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1785,17 +1783,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1807,8 +1805,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1944,8 +1942,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -2025,8 +2023,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -2112,8 +2110,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh - cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash # Auto-generated mcp-script tool: go # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -2125,8 +2123,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GO_EOF - chmod +x /opt/gh-aw/mcp-scripts/go.sh - cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/go.sh + cat > ${GH_AW_HOME}/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash # Auto-generated mcp-script tool: make # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -2137,7 +2135,7 @@ jobs: make $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/mcp-scripts/make.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/make.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -2172,7 +2170,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -2208,7 +2206,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -2303,7 +2301,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -2454,15 +2452,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -2473,7 +2471,7 @@ jobs: SECRET_TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -2490,9 +2488,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -2501,27 +2499,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -2602,9 +2600,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2665,9 +2663,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2713,6 +2711,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-claude" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2727,8 +2727,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2752,9 +2750,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2765,9 +2763,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2789,9 +2787,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2806,9 +2804,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2825,9 +2823,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -2850,8 +2848,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2860,9 +2856,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2880,6 +2876,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-claude" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" GH_AW_WORKFLOW_ID: "smoke-claude" GH_AW_WORKFLOW_NAME: "Smoke Claude" @@ -2907,8 +2904,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2963,9 +2958,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2982,6 +2977,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokeclaude steps: - name: Checkout actions folder @@ -2993,8 +2989,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 9486029fc1..be721134fa 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -80,8 +80,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,11 +101,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -129,9 +127,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -139,18 +137,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-codex.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -161,9 +159,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -178,17 +176,17 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, remove_labels, unassign_from_user, hide_comment, missing_tool, missing_data, noop @@ -247,9 +245,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -269,10 +267,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -295,11 +293,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -322,10 +320,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecodex outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -345,8 +341,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -360,10 +354,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -393,9 +391,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -405,7 +403,7 @@ jobs: - name: Install Codex run: npm install -g @openai/codex@latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -414,21 +412,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/fetch mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/fetch mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-codex"],"max":3},"create_issue":{"expires":2,"max":1},"hide_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"unassign_from_user":{"allowed":["githubactionagent"],"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -748,7 +746,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -969,8 +967,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -981,16 +979,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1017,7 +1015,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1026,17 +1024,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1048,7 +1046,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1082,7 +1080,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1180,7 +1178,7 @@ jobs: GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1257,7 +1255,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Codex run: | set -o pipefail @@ -1304,15 +1302,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1323,7 +1321,7 @@ jobs: SECRET_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1340,9 +1338,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1351,27 +1349,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_codex_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1453,9 +1451,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1492,9 +1490,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1540,6 +1538,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-codex" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1554,8 +1554,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1579,9 +1577,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1592,9 +1590,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1614,9 +1612,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1631,9 +1629,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1650,9 +1648,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1675,8 +1673,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1685,9 +1681,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1703,6 +1699,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-codex" GH_AW_ENGINE_ID: "codex" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" GH_AW_WORKFLOW_ID: "smoke-codex" GH_AW_WORKFLOW_NAME: "Smoke Codex" @@ -1727,8 +1724,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1754,9 +1749,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1773,6 +1768,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokecodex steps: - name: Checkout actions folder @@ -1784,8 +1780,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index f8c6c5bf1a..5637b7e63a 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -79,8 +79,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -102,11 +100,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -127,9 +125,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -137,18 +135,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot-arm.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -159,9 +157,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -177,17 +175,17 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, create_pull_request_review_comment, submit_pull_request_review, add_labels, remove_labels, dispatch_workflow, missing_tool, missing_data, noop @@ -247,9 +245,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -270,10 +268,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -297,11 +295,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -326,10 +324,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecopilotarm outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -350,8 +346,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -394,10 +388,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -427,14 +425,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -443,10 +441,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -461,27 +459,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"allowed_repos":["github/gh-aw"],"max":2},"add_labels":{"allowed":["smoke-copilot-arm"],"allowed_repos":["github/gh-aw"],"max":3},"create_discussion":{"expires":2,"max":1},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"default":null,"description":"The message to send","required":true,"type":"string"}},"output":"Slack message stub executed!"},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -886,7 +884,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1138,8 +1136,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1150,16 +1148,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1272,7 +1270,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1281,17 +1279,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1303,8 +1301,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1440,8 +1438,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1521,8 +1519,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1608,7 +1606,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1643,7 +1641,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1679,7 +1677,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1748,7 +1746,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1788,7 +1786,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1826,15 +1824,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1844,7 +1842,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1861,9 +1859,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1872,27 +1870,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1974,9 +1972,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2026,9 +2024,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2076,6 +2074,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-copilot-arm" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2090,8 +2090,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2115,9 +2113,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2128,9 +2126,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2153,9 +2151,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2170,9 +2168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2190,9 +2188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -2215,8 +2213,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2225,9 +2221,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2244,6 +2240,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot-arm" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot-arm" GH_AW_WORKFLOW_NAME: "Smoke Copilot ARM64" @@ -2268,8 +2265,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2296,9 +2291,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2321,11 +2316,11 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: agent - path: /opt/gh-aw/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${{ env.GH_AW_HOME }}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${{ env.GH_AW_HOME }}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Stub Slack message run: | echo "🎭 This is a stub - not sending to Slack" @@ -2349,6 +2344,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokecopilotarm steps: - name: Checkout actions folder @@ -2360,8 +2356,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 4a975358ef..a5d3200fcb 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -81,8 +81,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -104,11 +102,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -129,9 +127,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -139,18 +137,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -162,9 +160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -180,17 +178,17 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_discussion, create_pull_request_review_comment, submit_pull_request_review, reply_to_pull_request_review_comment, add_labels, remove_labels, set_issue_type, dispatch_workflow, missing_tool, missing_data, noop @@ -250,9 +248,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -273,10 +271,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -300,11 +298,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -329,10 +327,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecopilot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -353,8 +349,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -397,10 +391,14 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -430,14 +428,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -446,10 +444,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -464,27 +462,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"allowed_repos":["github/gh-aw"],"max":2},"add_labels":{"allowed":["smoke-copilot"],"allowed_repos":["github/gh-aw"],"max":3},"create_discussion":{"expires":2,"max":1},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke"],"max":3},"reply_to_pull_request_review_comment":{"max":5},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"default":null,"description":"The message to send","required":true,"type":"string"}},"output":"Slack message stub executed!"},"set_issue_type":{"max":5},"submit_pull_request_review":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -961,7 +959,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1253,8 +1251,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1265,16 +1263,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -1387,7 +1385,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -1396,17 +1394,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -1418,8 +1416,8 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh - cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1555,8 +1553,8 @@ jobs: fi GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh - cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-discussion-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1636,8 +1634,8 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh - cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' + chmod +x ${GH_AW_HOME}/mcp-scripts/github-issue-query.sh + cat > ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -1723,7 +1721,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/github-pr-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -1758,7 +1756,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1794,7 +1792,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -1863,7 +1861,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1903,7 +1901,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1941,15 +1939,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1959,7 +1957,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1976,9 +1974,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1987,27 +1985,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -2089,9 +2087,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2141,9 +2139,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -2191,6 +2189,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-copilot" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2205,8 +2205,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2230,9 +2228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2243,9 +2241,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -2268,9 +2266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -2285,9 +2283,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2305,9 +2303,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -2330,8 +2328,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2340,9 +2336,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2359,6 +2355,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot" GH_AW_WORKFLOW_NAME: "Smoke Copilot" @@ -2383,8 +2380,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2411,9 +2406,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2436,11 +2431,11 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: agent - path: /opt/gh-aw/safe-jobs/ + path: ${{ env.GH_AW_HOME }}/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/opt/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent_output.json" >> "$GITHUB_ENV" + find "${{ env.GH_AW_HOME }}/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=${{ env.GH_AW_HOME }}/safe-jobs/agent_output.json" >> "$GITHUB_ENV" - name: Stub Slack message run: | echo "🎭 This is a stub - not sending to Slack" @@ -2464,6 +2459,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokecopilot steps: - name: Checkout actions folder @@ -2475,8 +2471,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 41991edec1..b0d5ab5887 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +95,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -114,18 +112,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-create-cross-repo-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -136,9 +134,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -154,20 +152,20 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -218,9 +216,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -238,10 +236,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -262,11 +260,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -290,10 +288,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecreatecrossrepopr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -314,8 +310,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -327,7 +321,11 @@ jobs: repository: githubnext/gh-aw-side-repo token: ${{ secrets.GH_AW_SIDE_REPO_PAT }} - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -350,14 +348,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -367,21 +365,21 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"create_pull_request":{"draft":true,"expires":24,"fallback_as_issue":false,"max":1,"target-repo":"githubnext/gh-aw-side-repo","title_prefix":"[smoke] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -613,7 +611,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -785,8 +783,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -797,7 +795,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -826,7 +824,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -861,7 +859,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -899,7 +897,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -937,15 +935,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GITHUB_TOKEN' @@ -955,7 +953,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -972,9 +970,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -983,18 +981,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1070,9 +1068,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1123,9 +1121,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1170,6 +1168,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-create-cross-repo-pr" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1184,8 +1184,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1209,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1222,9 +1220,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1246,9 +1244,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1263,9 +1261,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1277,9 +1275,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1296,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1321,8 +1319,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1331,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1351,6 +1347,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-create-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-create-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Create Cross-Repo PR" @@ -1378,7 +1375,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1436,9 +1432,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 50c53a8b10..f057b3c09c 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -80,8 +80,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,11 +101,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate GEMINI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh GEMINI_API_KEY 'Gemini CLI' https://geminicli.com/docs/get-started/authentication/ + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh GEMINI_API_KEY 'Gemini CLI' https://geminicli.com/docs/get-started/authentication/ env: GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} - name: Checkout .github and .agents folders @@ -128,9 +126,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,18 +136,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-gemini.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -160,9 +158,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ✨ *[{workflow_name}]({run_url}) — Powered by Gemini*{history_link}\",\"runStarted\":\"✨ Gemini awakens... [{workflow_name}]({run_url}) begins its journey on this {event_type}...\",\"runSuccess\":\"🚀 [{workflow_name}]({run_url}) **MISSION COMPLETE!** Gemini has spoken. ✨\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status}. Gemini encountered unexpected challenges...\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -177,16 +175,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, add_labels, missing_tool, missing_data, noop @@ -241,9 +239,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -263,10 +261,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -289,11 +287,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -316,10 +314,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokegemini outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -339,17 +335,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -379,9 +377,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -389,7 +387,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Gemini CLI run: npm install -g @google/gemini-cli@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -400,21 +398,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/fetch node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/fetch node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-gemini"],"max":3},"create_issue":{"expires":2,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -626,7 +624,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -781,8 +779,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -793,16 +791,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "gh", @@ -829,7 +827,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -838,17 +836,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash # Auto-generated mcp-script tool: gh # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -860,7 +858,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS GH_AW_MCP_SCRIPTS_SH_GH_EOF - chmod +x /opt/gh-aw/mcp-scripts/gh.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/gh.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -894,7 +892,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -926,7 +924,7 @@ jobs: export GH_AW_ENGINE="gemini" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -970,7 +968,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Write Gemini settings run: | mkdir -p "$GITHUB_WORKSPACE/.gemini" @@ -1026,15 +1024,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GEMINI_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1044,7 +1042,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1061,9 +1059,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Clean up engine output files run: | @@ -1075,27 +1073,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_gemini_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_gemini_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Upload cache-memory data as artifact uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -1161,9 +1159,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1211,9 +1209,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1259,6 +1257,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-gemini" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1273,8 +1273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1298,9 +1296,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1311,9 +1309,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1333,9 +1331,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1350,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1369,9 +1367,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1394,8 +1392,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1404,9 +1400,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1422,6 +1418,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-gemini" GH_AW_ENGINE_ID: "gemini" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ✨ *[{workflow_name}]({run_url}) — Powered by Gemini*{history_link}\",\"runStarted\":\"✨ Gemini awakens... [{workflow_name}]({run_url}) begins its journey on this {event_type}...\",\"runSuccess\":\"🚀 [{workflow_name}]({run_url}) **MISSION COMPLETE!** Gemini has spoken. ✨\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status}. Gemini encountered unexpected challenges...\"}" GH_AW_WORKFLOW_ID: "smoke-gemini" GH_AW_WORKFLOW_NAME: "Smoke Gemini" @@ -1446,8 +1443,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1473,9 +1468,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1492,6 +1487,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokegemini steps: - name: Checkout actions folder @@ -1503,8 +1499,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 4d8c461165..2b7d819c47 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -98,11 +96,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -123,9 +121,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -133,18 +131,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-multi-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -155,9 +153,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Multi PR smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing multiple PR creation...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created multiple PRs.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create multiple PRs. Check the logs.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -172,20 +170,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -231,9 +229,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -250,10 +248,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -273,11 +271,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -299,10 +297,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokemultipr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -323,14 +319,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -353,14 +351,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -369,21 +367,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":2,"max":2,"title_prefix":"[smoke-multi-pr] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -566,7 +564,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -705,8 +703,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -717,7 +715,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -746,7 +744,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -781,7 +779,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -843,7 +841,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -881,15 +879,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -899,7 +897,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -916,9 +914,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -927,18 +925,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1014,9 +1012,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1066,9 +1064,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1113,6 +1111,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-multi-pr" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1127,8 +1127,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1152,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1165,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1190,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1207,9 +1205,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1221,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1240,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1265,8 +1263,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1275,9 +1271,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1295,6 +1291,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-multi-pr" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Multi PR smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing multiple PR creation...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created multiple PRs.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create multiple PRs. Check the logs.\"}" GH_AW_WORKFLOW_ID: "smoke-multi-pr" GH_AW_WORKFLOW_NAME: "Smoke Multi PR" @@ -1319,8 +1316,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1375,9 +1370,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 79f8f7aa7f..a35bc6b045 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -121,9 +119,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -131,18 +129,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-project.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -153,9 +151,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Project smoke test report by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing project operations...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. All project operations validated.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -170,20 +168,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, create_pull_request, add_labels, remove_labels, update_project, create_project_status_update, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -228,9 +226,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -247,10 +245,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -270,11 +268,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -298,10 +296,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeproject outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -322,14 +318,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -352,14 +350,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -368,21 +366,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-project"],"max":3},"create_issue":{"expires":2,"group":true,"max":1},"create_project_status_update":{"max":1},"create_pull_request":{"expires":2,"max":1,"title_prefix":"[smoke-project] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"remove_labels":{"allowed":["smoke-project"],"max":3},"update_project":{"max":20}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"ai-generated\" \"automation\" \"testing\"] will be automatically added.", @@ -871,7 +869,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -1163,8 +1161,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -1175,7 +1173,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1204,7 +1202,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1239,7 +1237,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1276,7 +1274,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1314,15 +1312,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1332,7 +1330,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1349,9 +1347,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1360,18 +1358,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1447,9 +1445,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1499,9 +1497,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1546,6 +1544,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-project" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1560,8 +1560,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1585,9 +1583,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1598,9 +1596,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1623,9 +1621,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1640,9 +1638,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1654,9 +1652,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1673,9 +1671,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1698,8 +1696,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1708,9 +1704,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1728,6 +1724,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-project" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Project smoke test report by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing project operations...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. All project operations validated.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-project" GH_AW_WORKFLOW_NAME: "Smoke Project" @@ -1755,7 +1752,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1813,9 +1809,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 035b5975d2..51b8dd1e27 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -73,8 +73,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -96,11 +94,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -121,9 +119,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -131,18 +129,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-temporary-id.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -153,9 +151,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Temporary ID smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing temporary ID functionality...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. Temporary ID validation passed.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -170,15 +168,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, link_sub_issue, missing_tool, missing_data, noop @@ -225,9 +223,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -244,10 +242,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -267,11 +265,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -294,10 +292,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smoketemporaryid outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -318,14 +314,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -348,14 +346,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -364,21 +362,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"group":true,"max":5},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[smoke-temporary-id] \". Labels [\"ai-generated\" \"automation\" \"testing\"] will be automatically added.", @@ -597,7 +595,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -751,8 +749,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -763,7 +761,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -792,7 +790,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -827,7 +825,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -864,7 +862,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -902,15 +900,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -920,7 +918,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -937,9 +935,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -948,18 +946,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1034,9 +1032,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1086,9 +1084,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1133,6 +1131,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-temporary-id" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1147,8 +1147,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1172,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1185,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1208,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1225,9 +1223,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1244,9 +1242,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1269,8 +1267,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1279,9 +1275,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1297,6 +1293,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-temporary-id" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Temporary ID smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing temporary ID functionality...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. Temporary ID validation passed.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-temporary-id" GH_AW_WORKFLOW_NAME: "Smoke Temporary ID" @@ -1321,8 +1318,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1348,9 +1343,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 68cae0ed17..fae54499fc 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -75,8 +75,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -98,11 +96,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -120,18 +118,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-test-tools.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -142,9 +140,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔧 *Tool validation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Starting tool validation... [{workflow_name}]({run_url}) is checking the agent container tools...\",\"runSuccess\":\"✅ All tools validated successfully! [{workflow_name}]({run_url}) confirms agent container is ready.\",\"runFailure\":\"❌ Tool validation failed! [{workflow_name}]({run_url}) detected missing tools: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -159,15 +157,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -214,9 +212,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -233,10 +231,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -256,11 +254,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -283,10 +281,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smoketesttools outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -307,8 +303,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -339,7 +333,11 @@ jobs: with: python-version: '3.11' - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -362,14 +360,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -378,21 +376,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 2 comment(s) can be added.", @@ -526,7 +524,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -629,8 +627,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -641,7 +639,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -670,7 +668,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -705,7 +703,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -742,7 +740,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -780,15 +778,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -798,7 +796,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -815,9 +813,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -826,18 +824,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -912,9 +910,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -964,9 +962,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1011,6 +1009,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-test-tools" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1025,8 +1025,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1050,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1063,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1086,9 +1084,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1103,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1122,9 +1120,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1147,8 +1145,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1157,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1175,6 +1171,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-test-tools" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔧 *Tool validation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Starting tool validation... [{workflow_name}]({run_url}) is checking the agent container tools...\",\"runSuccess\":\"✅ All tools validated successfully! [{workflow_name}]({run_url}) confirms agent container is ready.\",\"runFailure\":\"❌ Tool validation failed! [{workflow_name}]({run_url}) detected missing tools: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-test-tools" GH_AW_WORKFLOW_NAME: "Agent Container Smoke Test" @@ -1197,8 +1194,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1224,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index acf0740494..f0511facb3 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +95,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Checkout .github and .agents folders uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -114,18 +112,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-update-cross-repo-pr.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Add comment with workflow run link id: add-comment @@ -136,9 +134,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_workflow_run_comment.cjs'); await main(); - name: Create prompt with built-in context env: @@ -154,21 +152,21 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -219,9 +217,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -242,10 +240,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -269,11 +267,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -297,10 +295,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeupdatecrossrepopr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -321,8 +317,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -341,10 +335,14 @@ jobs: header=$(printf "x-access-token:%s" "${GH_AW_FETCH_TOKEN}" | base64) git -c "http.extraheader=Authorization: Basic ${header}" fetch origin '+refs/heads/main:refs/remotes/origin/main' '+refs/pull/*/head:refs/remotes/origin/pull/*/head' - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -374,14 +372,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -391,21 +389,21 @@ jobs: CUSTOM_GITHUB_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":2},"create_issue":{"expires":2,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1,"target":"1"}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [\"automation\" \"testing\"] will be automatically added.", @@ -624,7 +622,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -780,8 +778,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -792,7 +790,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -821,7 +819,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -856,7 +854,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -894,7 +892,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -932,15 +930,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GITHUB_TOKEN' @@ -950,7 +948,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -967,9 +965,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -978,18 +976,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1071,9 +1069,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1124,9 +1122,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1172,6 +1170,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-update-cross-repo-pr" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1186,8 +1186,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1224,9 +1222,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1248,9 +1246,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1265,9 +1263,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1284,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/notify_comment_error.cjs'); await main(); pre_activation: @@ -1309,8 +1307,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1319,9 +1315,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1339,6 +1335,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-update-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-update-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Update Cross-Repo PR" @@ -1366,7 +1363,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1423,9 +1419,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1442,6 +1438,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: smokeupdatecrossrepopr steps: - name: Checkout actions folder @@ -1453,8 +1450,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 64f6fcf015..625e6b69f7 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -82,16 +82,14 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Resolve host repo for activation checkout id: resolve-host-repo uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/resolve_host_repo.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/resolve_host_repo.cjs'); await main(); - name: Compute artifact prefix id: artifact-prefix @@ -120,11 +118,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Cross-repo setup guidance @@ -150,9 +148,9 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-workflow-call-with-inputs.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -168,20 +166,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_auto_create_issue.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_auto_create_issue.md" cat << 'GH_AW_PROMPT_EOF' @@ -227,9 +225,9 @@ jobs: GH_AW_EXPR_B3924FAD: ${{ inputs.task-description }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -247,10 +245,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -271,11 +269,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -298,10 +296,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeworkflowcallwithinputs outputs: artifact_prefix: ${{ needs.activation.outputs.artifact_prefix }} @@ -323,14 +319,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -353,14 +351,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -369,21 +367,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[smoke-workflow-call-with-inputs]\". Labels [\"smoke-workflow-call-with-inputs\"] will be automatically added.", @@ -529,7 +527,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -647,8 +645,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -659,7 +657,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -688,7 +686,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -723,7 +721,7 @@ jobs: name: ${{ needs.activation.outputs.artifact_prefix }}activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -776,7 +774,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -814,15 +812,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -832,7 +830,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -849,9 +847,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -860,18 +858,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -946,9 +944,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -998,9 +996,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1043,6 +1041,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-workflow-call-with-inputs" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1057,8 +1057,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1082,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1095,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1117,9 +1115,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1134,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1156,8 +1154,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1166,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1184,6 +1180,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-workflow-call-with-inputs" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "smoke-workflow-call-with-inputs" GH_AW_WORKFLOW_NAME: "Smoke Workflow Call with Inputs" outputs: @@ -1205,8 +1202,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1232,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index cc0a49d2aa..457ff1809e 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -70,16 +70,14 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Resolve host repo for activation checkout id: resolve-host-repo uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/resolve_host_repo.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/resolve_host_repo.cjs'); await main(); - name: Compute artifact prefix id: artifact-prefix @@ -108,11 +106,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Cross-repo setup guidance @@ -138,9 +136,9 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-workflow-call.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -155,15 +153,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -210,9 +208,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -229,10 +227,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -252,11 +250,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -278,10 +276,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeworkflowcall outputs: artifact_prefix: ${{ needs.activation.outputs.artifact_prefix }} @@ -303,14 +299,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -333,14 +331,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -349,21 +347,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -497,7 +495,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -600,8 +598,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -612,7 +610,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -641,7 +639,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -676,7 +674,7 @@ jobs: name: ${{ needs.activation.outputs.artifact_prefix }}activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -733,7 +731,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -771,15 +769,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -789,7 +787,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -806,9 +804,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -817,18 +815,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -903,9 +901,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -955,9 +953,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1002,6 +1000,8 @@ jobs: concurrency: group: "gh-aw-conclusion-smoke-workflow-call" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1016,8 +1016,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1041,9 +1039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1054,9 +1052,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1077,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1094,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1116,8 +1114,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1126,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1146,6 +1142,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-workflow-call" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔁 *workflow_call smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🔁 [{workflow_name}]({run_url}) is validating workflow_call checkout...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully validated workflow_call checkout.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to validate workflow_call checkout. Check the logs.\"}" GH_AW_WORKFLOW_ID: "smoke-workflow-call" GH_AW_WORKFLOW_NAME: "Smoke Workflow Call" @@ -1168,8 +1165,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1195,9 +1190,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index b18e5a352a..0737ff71b1 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -74,8 +74,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -100,11 +98,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -122,9 +120,9 @@ jobs: GH_AW_WORKFLOW_FILE: "stale-repo-identifier.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -140,16 +138,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, upload_asset, missing_tool, missing_data, noop @@ -213,9 +211,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -235,10 +233,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -261,11 +259,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -291,10 +289,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: stalerepoidentifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -315,14 +311,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -384,7 +382,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -414,27 +412,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Stale Repository] \". Labels [\"stale-repository\" \"automated-analysis\" \"cookie\"] will be automatically added.", @@ -605,7 +603,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -732,8 +730,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -744,7 +742,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -775,7 +773,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -810,7 +808,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -850,7 +848,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -888,15 +886,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -906,7 +904,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -923,9 +921,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -934,18 +932,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1035,9 +1033,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1087,9 +1085,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1134,6 +1132,8 @@ jobs: concurrency: group: "gh-aw-conclusion-stale-repo-identifier" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1148,8 +1148,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1186,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1209,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1226,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1242,6 +1240,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/stale-repo-identifier" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Analysis by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 Stale Repository Identifier starting! [{workflow_name}]({run_url}) is analyzing repository activity...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has finished analyzing stale repositories.\",\"runFailure\":\"⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}.\"}" GH_AW_WORKFLOW_ID: "stale-repo-identifier" GH_AW_WORKFLOW_NAME: "Stale Repository Identifier" @@ -1264,8 +1263,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1291,9 +1288,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1310,6 +1307,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: stalerepoidentifier steps: - name: Checkout actions folder @@ -1321,8 +1319,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1366,8 +1362,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1423,8 +1417,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 0cb9d034f0..ef14c4dc8b 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "static-analysis-report.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -185,9 +183,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -231,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -261,10 +259,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: staticanalysisreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,8 +280,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -321,7 +315,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Pull static analysis Docker images run: "set -e\necho \"Pulling Docker images for static analysis tools...\"\n\n# Pull zizmor Docker image\necho \"Pulling zizmor image...\"\ndocker pull ghcr.io/zizmorcore/zizmor:latest\n\n# Pull poutine Docker image\necho \"Pulling poutine image...\"\ndocker pull ghcr.io/boostsecurityio/poutine:latest\n\necho \"All static analysis Docker images pulled successfully\"\n" - name: Verify static analysis tools @@ -331,7 +329,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -361,9 +359,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -371,7 +369,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -382,10 +380,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -400,27 +398,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"security\".", @@ -551,7 +549,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -662,8 +660,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -674,7 +672,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -703,7 +701,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -748,7 +746,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -873,15 +871,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -891,7 +889,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -908,9 +906,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -919,18 +917,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1009,9 +1007,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1072,9 +1070,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1119,6 +1117,8 @@ jobs: concurrency: group: "gh-aw-conclusion-static-analysis-report" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1133,8 +1133,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1158,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1171,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1194,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1211,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1228,6 +1226,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/static-analysis-report" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "static-analysis-report" GH_AW_WORKFLOW_NAME: "Static Analysis Report" outputs: @@ -1247,8 +1246,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1274,9 +1271,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1293,6 +1290,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: staticanalysisreport steps: - name: Checkout actions folder @@ -1304,8 +1302,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 13f899e106..60b4dcc10d 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "step-name-alignment.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,16 +119,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -177,9 +175,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -198,10 +196,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -252,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: stepnamealignment outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,17 +271,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -315,9 +313,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -325,7 +323,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -336,21 +334,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[step-names] \". Labels [\"maintenance\" \"step-naming\" \"cookie\"] will be automatically added.", @@ -496,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -614,8 +612,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -626,7 +624,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -654,7 +652,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -688,7 +686,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -828,15 +826,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -846,7 +844,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -863,9 +861,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -874,18 +872,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -964,9 +962,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1027,9 +1025,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1073,6 +1071,8 @@ jobs: concurrency: group: "gh-aw-conclusion-step-name-alignment" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1087,8 +1087,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1112,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1125,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1146,9 +1144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1163,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1179,6 +1177,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/step-name-alignment" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "step-name-alignment" GH_AW_WORKFLOW_NAME: "Step Name Alignment" outputs: @@ -1200,8 +1199,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1227,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1246,6 +1243,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: stepnamealignment steps: - name: Checkout actions folder @@ -1257,8 +1255,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index ceaac3637d..7b79ed0d8a 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "sub-issue-closer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,15 +119,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, update_issue, missing_tool, missing_data, noop @@ -177,9 +175,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -195,10 +193,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -217,11 +215,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -245,10 +243,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: subissuecloser outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -269,14 +265,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -299,14 +297,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -315,21 +313,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":20,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":20}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 20 comment(s) can be added. Target: *.", @@ -535,7 +533,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -692,8 +690,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -704,7 +702,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -733,7 +731,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -768,7 +766,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -805,7 +803,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -843,15 +841,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -861,7 +859,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -878,9 +876,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -889,18 +887,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -975,9 +973,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1027,9 +1025,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1074,6 +1072,8 @@ jobs: concurrency: group: "gh-aw-conclusion-sub-issue-closer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1088,8 +1088,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1113,9 +1111,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1126,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1148,9 +1146,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1165,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1183,6 +1181,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/sub-issue-closer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "sub-issue-closer" GH_AW_WORKFLOW_NAME: "Sub-Issue Closer" outputs: @@ -1204,8 +1203,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1231,9 +1228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index edc719411f..af9d14a859 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -62,8 +62,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "super-linter.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,16 +123,16 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -210,10 +208,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -236,11 +234,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -268,10 +266,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: superlinter outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,14 +288,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Download super-linter log uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -308,7 +306,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -338,14 +336,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -354,21 +352,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[linter] \". Labels [\"automation\" \"code-quality\" \"cookie\"] will be automatically added.", @@ -514,7 +512,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -632,8 +630,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -644,7 +642,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -673,7 +671,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -708,7 +706,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -745,7 +743,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -783,15 +781,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -801,7 +799,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -818,9 +816,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -829,18 +827,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -921,9 +919,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -973,9 +971,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1019,6 +1017,8 @@ jobs: concurrency: group: "gh-aw-conclusion-super-linter" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1033,8 +1033,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1058,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1071,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1093,9 +1091,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1110,9 +1108,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1126,6 +1124,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/super-linter" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "super-linter" GH_AW_WORKFLOW_NAME: "Super Linter Report" outputs: @@ -1147,8 +1146,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1239,6 +1236,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: superlinter steps: - name: Checkout actions folder @@ -1250,8 +1248,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index a3124b01b2..89e0c8ea82 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -67,8 +67,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -112,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "technical-doc-writer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -130,22 +128,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -202,9 +200,9 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -230,10 +228,10 @@ jobs: GH_AW_WIKI_NOTE: "\n\n> **GitHub Wiki**: This memory is backed by the GitHub Wiki for this repository. Files use GitHub Wiki Markdown syntax. Follow GitHub Wiki conventions when creating or editing pages (e.g., use standard Markdown headers, use `[[Page Name]]` syntax for internal wiki links, name page files with spaces replaced by hyphens or use the wiki page title as the filename)." with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -262,11 +260,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -290,10 +288,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: technicaldocwriter outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -314,8 +310,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -327,9 +321,9 @@ jobs: GH_AW_AGENT_IMPORT_SPEC: "../agents/technical-doc-writer.agent.md" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/merge_remote_agent_github_folder.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/merge_remote_agent_github_folder.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -339,7 +333,11 @@ jobs: cache-dependency-path: 'docs/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install QMD run: npm install -g @tobilu/qmd - name: Restore QMD index cache @@ -362,7 +360,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -379,7 +377,7 @@ jobs: TARGET_REPO: ${{ github.repository }}.wiki MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: false - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -402,14 +400,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -418,21 +416,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":10240,"max_patch_size":10240}]},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -655,7 +653,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -803,8 +801,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -815,16 +813,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -852,7 +850,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -861,17 +859,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -883,7 +881,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -915,7 +913,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -949,7 +947,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -991,7 +989,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1031,7 +1029,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -1069,15 +1067,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1087,7 +1085,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1104,9 +1102,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1115,27 +1113,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1236,9 +1234,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1288,9 +1286,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1338,6 +1336,8 @@ jobs: concurrency: group: "gh-aw-conclusion-technical-doc-writer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1352,8 +1352,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1377,9 +1375,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1390,9 +1388,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1419,9 +1417,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1436,9 +1434,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1450,9 +1448,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); push_repo_memory: @@ -1464,6 +1462,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1478,8 +1478,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1522,9 +1520,9 @@ jobs: ALLOWED_EXTENSIONS: '[]' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1542,6 +1540,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/technical-doc-writer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📝 *Documentation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"✍️ The Technical Writer begins! [{workflow_name}]({run_url}) is documenting this {event_type}...\",\"runSuccess\":\"📝 Documentation complete! [{workflow_name}]({run_url}) has written the docs. Clear as crystal! ✨\",\"runFailure\":\"✍️ Writer's block! [{workflow_name}]({run_url}) {status}. The page remains blank...\"}" GH_AW_WORKFLOW_ID: "technical-doc-writer" GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes" @@ -1566,8 +1565,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1622,9 +1619,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1641,6 +1638,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: technicaldocwriter steps: - name: Checkout actions folder @@ -1652,8 +1650,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1697,8 +1693,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1754,8 +1748,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 69c3f75f68..0fe94fcfd3 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -87,11 +85,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -109,9 +107,9 @@ jobs: GH_AW_WORKFLOW_FILE: "terminal-stylist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -126,15 +124,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,10 +205,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -229,11 +227,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -256,10 +254,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: terminalstylist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,14 +276,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -310,14 +308,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -326,21 +324,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -471,7 +469,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -582,8 +580,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -594,7 +592,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -623,7 +621,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -666,7 +664,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -703,7 +701,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -741,15 +739,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -759,7 +757,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -776,9 +774,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -787,18 +785,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -873,9 +871,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -925,9 +923,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -971,6 +969,8 @@ jobs: concurrency: group: "gh-aw-conclusion-terminal-stylist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -985,8 +985,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1010,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1023,9 +1021,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1047,9 +1045,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1064,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1081,6 +1079,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/terminal-stylist" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "terminal-stylist" GH_AW_WORKFLOW_NAME: "Terminal Stylist" outputs: @@ -1100,8 +1099,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1127,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 65d42afa41..23ab562e07 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -56,8 +56,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -79,11 +77,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -101,9 +99,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-create-pr-error-handling.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -118,21 +116,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -177,9 +175,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -198,10 +196,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -250,10 +248,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testcreateprerrorhandling outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,17 +269,19 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -313,9 +311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -323,7 +321,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -334,21 +332,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Labels [\"test\"] will be automatically added.", @@ -494,7 +492,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -615,8 +613,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -627,7 +625,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -655,7 +653,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -689,7 +687,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -813,15 +811,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -831,7 +829,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -848,9 +846,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -859,18 +857,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -950,9 +948,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1013,9 +1011,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1060,6 +1058,8 @@ jobs: concurrency: group: "gh-aw-conclusion-test-create-pr-error-handling" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1074,8 +1074,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1099,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1112,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1135,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1152,9 +1150,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1166,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1185,6 +1183,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-create-pr-error-handling" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "test-create-pr-error-handling" GH_AW_WORKFLOW_NAME: "Test Create PR Error Handling" outputs: @@ -1206,8 +1205,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1262,9 +1259,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1281,6 +1278,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: testcreateprerrorhandling steps: - name: Checkout actions folder @@ -1292,8 +1290,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index cb5d845790..2b26162cd7 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -55,8 +55,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -78,11 +76,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -100,9 +98,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-dispatcher.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -117,15 +115,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: dispatch_workflow, missing_tool, missing_data, noop @@ -172,9 +170,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -190,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -212,11 +210,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -238,10 +236,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testdispatcher outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -262,14 +258,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -292,14 +290,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -308,21 +306,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"dispatch_workflow":{"max":1,"workflow_files":{"test-workflow":".lock.yml"},"workflows":["test-workflow"]},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -437,7 +435,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "missing_data": { "defaultMax": 20, @@ -522,8 +520,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -534,7 +532,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -563,7 +561,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -598,7 +596,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -635,7 +633,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -673,15 +671,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -691,7 +689,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -708,9 +706,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -719,18 +717,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -805,9 +803,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -857,9 +855,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -901,6 +899,8 @@ jobs: concurrency: group: "gh-aw-conclusion-test-dispatcher" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -915,8 +915,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -940,9 +938,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -953,9 +951,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -975,9 +973,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -992,9 +990,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1007,6 +1005,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-dispatcher" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "test-dispatcher" GH_AW_WORKFLOW_NAME: "Test Dispatcher Workflow" outputs: @@ -1026,8 +1025,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1053,9 +1050,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 34ba71a818..4d3ded6387 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -55,8 +55,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -78,11 +76,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -100,9 +98,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-project-url-default.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -117,15 +115,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_project, create_project_status_update, missing_tool, missing_data, noop @@ -172,9 +170,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -190,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -212,11 +210,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -237,10 +235,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testprojecturldefault outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -261,14 +257,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -291,14 +289,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -307,21 +305,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_project_status_update":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_project":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -614,7 +612,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_project_status_update": { "defaultMax": 10, @@ -781,8 +779,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -793,7 +791,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -822,7 +820,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -857,7 +855,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -894,7 +892,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -932,15 +930,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -950,7 +948,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -967,9 +965,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -978,18 +976,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1064,9 +1062,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1116,9 +1114,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1160,6 +1158,8 @@ jobs: concurrency: group: "gh-aw-conclusion-test-project-url-default" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1174,8 +1174,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1199,9 +1197,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1212,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1234,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1251,9 +1249,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1266,6 +1264,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-project-url-default" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "test-project-url-default" GH_AW_WORKFLOW_NAME: "Test Project URL Explicit Requirement" outputs: @@ -1286,7 +1285,6 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1315,9 +1313,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index c42f8709be..dfac6f37ee 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -60,8 +60,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -83,11 +81,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,9 +103,9 @@ jobs: GH_AW_WORKFLOW_FILE: "test-workflow.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,14 +119,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -172,9 +170,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -190,10 +188,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -212,11 +210,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -233,6 +231,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: testworkflow outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -248,14 +247,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -278,14 +279,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -294,10 +295,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -322,7 +323,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -350,7 +351,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -386,7 +387,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -424,15 +425,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -442,7 +443,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -450,18 +451,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index d2e91c6bf7..f7fef188bf 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -83,8 +83,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -106,11 +104,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -131,9 +129,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -141,18 +139,18 @@ jobs: GH_AW_WORKFLOW_FILE: "tidy.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -168,21 +166,21 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat "/opt/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_push_to_pr_branch.md" cat << 'GH_AW_PROMPT_EOF' @@ -215,7 +213,7 @@ jobs: GH_AW_PROMPT_EOF if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then - cat "/opt/gh-aw/prompts/pr_context_prompt.md" + cat "${GH_AW_HOME}/prompts/pr_context_prompt.md" fi cat << 'GH_AW_PROMPT_EOF' @@ -230,9 +228,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -251,10 +249,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -276,11 +274,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -303,10 +301,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: tidy outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -327,14 +323,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -371,14 +369,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -387,21 +385,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[tidy] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[tidy] \". Labels [\"automation\" \"maintenance\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -583,7 +581,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -724,8 +722,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -736,7 +734,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -765,7 +763,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -800,7 +798,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -862,7 +860,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -900,15 +898,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -918,7 +916,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -936,9 +934,9 @@ jobs: GH_AW_COMMAND: tidy with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -947,18 +945,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1034,9 +1032,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1086,9 +1084,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1132,6 +1130,8 @@ jobs: concurrency: group: "gh-aw-conclusion-tidy" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1146,8 +1146,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1171,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1186,9 +1184,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1210,9 +1208,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1227,9 +1225,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1241,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1266,8 +1264,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1276,9 +1272,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1287,9 +1283,9 @@ jobs: GH_AW_COMMANDS: "[\"tidy\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1306,6 +1302,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/tidy" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "tidy" GH_AW_WORKFLOW_NAME: "Tidy" outputs: @@ -1329,8 +1326,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1385,9 +1380,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 02c9e8fb47..ca76ab52d8 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "typist.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, missing_tool, missing_data, noop @@ -188,9 +186,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -206,10 +204,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -228,11 +226,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -257,10 +255,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: typist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,14 +276,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -310,9 +308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -320,7 +318,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -331,21 +329,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -476,7 +474,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -587,8 +585,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -599,7 +597,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -627,7 +625,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -677,7 +675,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -816,15 +814,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -834,7 +832,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -851,9 +849,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -862,18 +860,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -946,9 +944,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1009,9 +1007,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1055,6 +1053,8 @@ jobs: concurrency: group: "gh-aw-conclusion-typist" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1069,8 +1069,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1094,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1107,9 +1105,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1130,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1147,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1164,6 +1162,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/typist" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "typist" GH_AW_WORKFLOW_NAME: "Typist - Go Type Analysis" outputs: @@ -1183,8 +1182,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1210,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index cf49fdd546..fc47bdd885 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -66,8 +66,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -89,11 +87,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -111,9 +109,9 @@ jobs: GH_AW_WORKFLOW_FILE: "ubuntu-image-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,20 +126,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -190,9 +188,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -209,10 +207,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -232,11 +230,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -262,10 +260,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: ubuntuimageanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,14 +282,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -316,14 +314,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -332,21 +330,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":48,"max":1,"title_prefix":"[ubuntu-image] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ubuntu-image] \". Labels [\"documentation\" \"automation\" \"infrastructure\"] will be automatically added.", @@ -492,7 +490,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -613,8 +611,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -625,7 +623,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -654,7 +652,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -689,7 +687,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -752,7 +750,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -790,15 +788,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -808,7 +806,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -825,9 +823,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -836,18 +834,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -923,9 +921,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -975,9 +973,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1021,6 +1019,8 @@ jobs: concurrency: group: "gh-aw-conclusion-ubuntu-image-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1035,8 +1035,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1061,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1075,9 +1073,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1100,9 +1098,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1118,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1133,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1155,8 +1153,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1165,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1178,9 +1174,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1197,6 +1193,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ubuntu-image-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "ubuntu-image-analyzer" GH_AW_WORKFLOW_ID: "ubuntu-image-analyzer" GH_AW_WORKFLOW_NAME: "Ubuntu Actions Image Analyzer" @@ -1219,8 +1216,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 2941edc1b4..1a8ed08ee9 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -80,8 +80,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -103,11 +101,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate ANTHROPIC_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Checkout .github and .agents folders @@ -128,9 +126,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,18 +136,18 @@ jobs: GH_AW_WORKFLOW_FILE: "unbloat-docs.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -164,22 +162,22 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -238,9 +236,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -261,10 +259,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -288,11 +286,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -315,10 +313,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: unbloatdocs outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -338,10 +334,12 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Install QMD run: npm install -g @tobilu/qmd - name: Restore QMD index cache @@ -375,7 +373,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -405,9 +403,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -415,7 +413,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Determine automatic lockdown mode for GitHub MCP Server @@ -426,21 +424,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"create_pull_request":{"auto_merge":true,"draft":true,"expires":48,"fallback_as_issue":false,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -648,7 +646,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -796,8 +794,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -808,16 +806,16 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/mcp-scripts/logs - cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' + mkdir -p ${GH_AW_HOME}/mcp-scripts/logs + cat > ${GH_AW_HOME}/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/mcp-scripts/logs", + "logDir": "${GH_AW_HOME}/mcp-scripts/logs", "tools": [ { "name": "qmd-query", @@ -845,7 +843,7 @@ jobs: ] } GH_AW_MCP_SCRIPTS_TOOLS_EOF - cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -854,17 +852,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/mcp-scripts/logs" + logDir: process.env.GH_AW_HOME + "/mcp-scripts/logs" }).catch(error => { console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); GH_AW_MCP_SCRIPTS_SERVER_EOF - chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs + chmod +x ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' + cat > ${GH_AW_HOME}/mcp-scripts/qmd-query.sh << 'GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF' #!/bin/bash # Auto-generated mcp-script tool: qmd-query # Find relevant file paths in project documentation using vector similarity search. Returns file paths and scores. @@ -876,7 +874,7 @@ jobs: GH_AW_MCP_SCRIPTS_SH_QMD-QUERY_EOF - chmod +x /opt/gh-aw/mcp-scripts/qmd-query.sh + chmod +x ${GH_AW_HOME}/mcp-scripts/qmd-query.sh - name: Generate MCP Scripts Server Config id: mcp-scripts-config @@ -908,7 +906,7 @@ jobs: export GH_AW_MCP_SCRIPTS_PORT export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_mcp_scripts_server.sh + bash ${GH_AW_HOME}/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -942,7 +940,7 @@ jobs: export GH_AW_ENGINE="claude" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -1002,7 +1000,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1188,15 +1186,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1206,7 +1204,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1224,9 +1222,9 @@ jobs: GH_AW_COMMAND: unbloat with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1235,27 +1233,27 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_claude_log.cjs'); await main(); - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1345,9 +1343,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1408,9 +1406,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1457,6 +1455,8 @@ jobs: concurrency: group: "gh-aw-conclusion-unbloat-docs" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1471,8 +1471,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1496,9 +1494,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1509,9 +1507,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1533,9 +1531,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1550,9 +1548,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1564,9 +1562,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); pre_activation: @@ -1589,8 +1587,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1599,9 +1595,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1610,9 +1606,9 @@ jobs: GH_AW_COMMANDS: "[\"unbloat\"]" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1630,6 +1626,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/unbloat-docs" GH_AW_ENGINE_ID: "claude" + GH_AW_HOME: /opt/gh-aw GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🗜️ *Compressed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📦 Time to slim down! [{workflow_name}]({run_url}) is trimming the excess from this {event_type}...\",\"runSuccess\":\"🗜️ Docs on a diet! [{workflow_name}]({run_url}) has removed the bloat. Lean and mean! 💪\",\"runFailure\":\"📦 Unbloating paused! [{workflow_name}]({run_url}) {status}. The docs remain... fluffy.\"}" GH_AW_WORKFLOW_ID: "unbloat-docs" GH_AW_WORKFLOW_NAME: "Documentation Unbloat" @@ -1654,8 +1651,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1710,9 +1705,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1729,6 +1724,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: unbloatdocs steps: - name: Checkout actions folder @@ -1740,8 +1736,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1785,8 +1779,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1842,8 +1834,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 00c2b3e0fd..1b10008c21 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "video-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,15 +126,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -189,9 +187,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -208,10 +206,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -231,11 +229,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -258,10 +256,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: videoanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,14 +278,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - id: setup-ffmpeg name: Setup FFmpeg run: |- @@ -320,14 +318,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -336,21 +334,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[video-analysis] \". Labels [\"automation\" \"video-processing\" \"cookie\"] will be automatically added.", @@ -496,7 +494,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -614,8 +612,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -626,7 +624,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -655,7 +653,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -690,7 +688,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -744,7 +742,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -782,15 +780,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -800,7 +798,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -817,9 +815,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -828,18 +826,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -914,9 +912,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -966,9 +964,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1011,6 +1009,8 @@ jobs: concurrency: group: "gh-aw-conclusion-video-analyzer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1025,8 +1025,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1050,9 +1048,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1063,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1085,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1102,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1118,6 +1116,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/video-analyzer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "video-analyzer" GH_AW_WORKFLOW_NAME: "Video Analysis Agent" outputs: @@ -1139,8 +1138,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1166,9 +1163,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 586e4659ba..0227a73718 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -82,11 +80,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -104,9 +102,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-editors-health-check.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -121,21 +119,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, upload_asset, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs). @@ -184,9 +182,9 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +222,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -252,10 +250,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklyeditorshealthcheck outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,14 +272,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -306,14 +304,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -322,21 +320,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":168,"max":1,"reviewers":["copilot"],"title_prefix":"[docs] "},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [\"documentation\" \"automation\"] will be automatically added. Reviewers [\"copilot\"] will be assigned.", @@ -507,7 +505,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -637,8 +635,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -649,7 +647,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -682,7 +680,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -724,7 +722,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -790,7 +788,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -828,15 +826,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -846,7 +844,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -863,9 +861,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -874,18 +872,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -970,9 +968,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1022,9 +1020,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1069,6 +1067,8 @@ jobs: concurrency: group: "gh-aw-conclusion-weekly-editors-health-check" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1083,8 +1083,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1109,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1123,9 +1121,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1148,9 +1146,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1166,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1181,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1200,6 +1198,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-editors-health-check" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "weekly-editors-health-check" GH_AW_WORKFLOW_ID: "weekly-editors-health-check" GH_AW_WORKFLOW_NAME: "Weekly Editors Health Check" @@ -1222,8 +1221,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1278,9 +1275,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1310,8 +1307,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1367,8 +1362,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 4d69574010..8df10a660f 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -64,8 +64,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -90,11 +88,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -112,9 +110,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -129,16 +127,16 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/cache_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/cache_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_discussion, upload_asset, missing_tool, missing_data, noop @@ -197,9 +195,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -218,10 +216,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -243,11 +241,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -271,10 +269,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklyissuesummary outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -294,14 +290,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -327,7 +325,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + run: bash ${GH_AW_HOME}/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: @@ -348,22 +346,22 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Weekly Summary] \". Discussions will be created in category \"audits\".", @@ -519,7 +517,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -639,8 +637,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -651,7 +649,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -682,7 +680,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -717,7 +715,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -757,7 +755,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -795,15 +793,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -813,7 +811,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -830,9 +828,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -841,18 +839,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -942,9 +940,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -994,9 +992,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1042,6 +1040,8 @@ jobs: concurrency: group: "gh-aw-conclusion-weekly-issue-summary" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1056,8 +1056,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1082,9 +1080,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1096,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1120,9 +1118,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1138,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1155,6 +1153,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-issue-summary" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "weekly-issue-summary" GH_AW_WORKFLOW_ID: "weekly-issue-summary" GH_AW_WORKFLOW_NAME: "Weekly Issue Summary" @@ -1175,8 +1174,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1202,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1221,6 +1218,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID_SANITIZED: weeklyissuesummary steps: - name: Checkout actions folder @@ -1232,8 +1230,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1277,8 +1273,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1334,8 +1328,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 06a5b6dbd3..6685f83758 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -59,8 +59,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -85,11 +83,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -107,9 +105,9 @@ jobs: GH_AW_WORKFLOW_FILE: "weekly-safe-outputs-spec-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -124,20 +122,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_pull_request, missing_tool, missing_data, noop GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/safe_outputs_create_pull_request.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_create_pull_request.md" cat << 'GH_AW_PROMPT_EOF' @@ -182,9 +180,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -200,10 +198,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -222,11 +220,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -250,10 +248,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklysafeoutputsspecreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,14 +270,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -304,27 +302,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_pull_request":{"expires":168,"max":1,"title_prefix":"[spec-review] "},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[spec-review] \". Labels [\"documentation\" \"safe-outputs\" \"automation\"] will be automatically added.", @@ -470,7 +468,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_pull_request": { "defaultMax": 1, @@ -591,8 +589,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -603,7 +601,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -631,7 +629,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -666,7 +664,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -703,7 +701,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -741,15 +739,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -759,7 +757,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -776,9 +774,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -787,18 +785,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -874,9 +872,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -926,9 +924,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -972,6 +970,8 @@ jobs: concurrency: group: "gh-aw-conclusion-weekly-safe-outputs-spec-review" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -986,8 +986,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1012,9 +1010,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1026,9 +1024,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1051,9 +1049,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1069,9 +1067,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); - name: Handle Create Pull Request Error id: handle_create_pr_error @@ -1084,9 +1082,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_create_pr_error.cjs'); await main(); safe_outputs: @@ -1103,6 +1101,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-safe-outputs-spec-review" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "weekly-safe-outputs-spec-review" GH_AW_WORKFLOW_ID: "weekly-safe-outputs-spec-review" GH_AW_WORKFLOW_NAME: "Weekly Safe Outputs Specification Review" @@ -1125,8 +1124,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1181,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 9e07172798..f88deafb36 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -68,8 +68,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -94,11 +92,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -119,9 +117,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/add_reaction.cjs'); await main(); - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -129,18 +127,18 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-generator.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -148,9 +146,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/lock-issue.cjs'); await main(); - name: Create prompt with built-in context env: @@ -165,15 +163,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: update_issue, assign_to_agent, missing_tool, missing_data, noop @@ -220,9 +218,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -239,10 +237,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -262,11 +260,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -289,10 +287,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowgenerator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -313,14 +309,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -343,27 +341,27 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"assign_to_agent":{"allowed":["copilot"],"max":1,"target":"triggering"},"missing_data":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Assign the GitHub Copilot coding agent to work on an issue or pull request. The agent will analyze the issue/PR and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot. Example usage: assign_to_agent(issue_number=123, agent=\"copilot\") or assign_to_agent(pull_number=456, agent=\"copilot\", pull_request_repo=\"owner/repo\") CONSTRAINTS: Maximum 1 issue(s) can be assigned to agent.", @@ -572,7 +570,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "assign_to_agent": { "defaultMax": 1, @@ -736,8 +734,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -748,7 +746,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -776,7 +774,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -811,7 +809,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -848,7 +846,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -886,15 +884,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -904,7 +902,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -921,9 +919,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -932,18 +930,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1018,9 +1016,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1070,9 +1068,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1116,6 +1114,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-generator" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1130,8 +1130,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1155,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1168,9 +1166,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1192,9 +1190,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1209,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1233,8 +1231,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1243,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); - name: Check user rate limit id: check_rate_limit @@ -1258,9 +1254,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_rate_limit.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_rate_limit.cjs'); await main(); safe_outputs: @@ -1277,6 +1273,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-generator" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "workflow-generator" GH_AW_WORKFLOW_NAME: "Workflow Generator" outputs: @@ -1299,8 +1296,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1326,9 +1321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1342,9 +1337,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require('${GH_AW_HOME}/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1374,16 +1369,14 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/unlock-issue.cjs'); await main(); diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 11a829a96d..05cad24a14 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -65,8 +65,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -88,11 +86,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -110,9 +108,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-health-manager.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -128,16 +126,16 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_WIKI_NOTE: ${{ '' }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/repo_memory_prompt.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/repo_memory_prompt.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, create_issue, update_issue, missing_tool, missing_data, noop @@ -187,9 +185,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -212,10 +210,10 @@ jobs: GH_AW_WIKI_NOTE: '' with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -241,11 +239,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -271,10 +269,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowhealthmanager outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -295,14 +291,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -312,7 +310,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + run: bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -335,14 +333,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -351,21 +349,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":15},"create_issue":{"expires":24,"group":true,"max":10},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"update_issue":{"max":5}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Labels [\"cookie\"] will be automatically added.", @@ -635,7 +633,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -825,8 +823,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -837,7 +835,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -866,7 +864,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -901,7 +899,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -938,7 +936,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -976,15 +974,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -994,7 +992,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -1011,9 +1009,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -1022,18 +1020,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -1117,9 +1115,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1169,9 +1167,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1217,6 +1215,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-health-manager" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1231,8 +1231,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1256,9 +1254,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1269,9 +1267,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1295,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1312,9 +1310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); pre_activation: @@ -1334,8 +1332,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1344,9 +1340,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1358,6 +1354,8 @@ jobs: concurrency: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1372,8 +1370,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1416,9 +1412,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1434,6 +1430,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-health-manager" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "workflow-health-manager" GH_AW_WORKFLOW_NAME: "Workflow Health Manager - Meta-Orchestrator" outputs: @@ -1457,8 +1454,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1484,9 +1479,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index e61b6e16fa..e8130bb9fb 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-normalizer.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, missing_tool, missing_data, noop @@ -184,9 +182,9 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -202,10 +200,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -224,11 +222,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -254,10 +252,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflownormalizer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,8 +274,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -315,7 +309,11 @@ jobs: build-args: | BINARY=dist/gh-aw-linux-amd64 - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -338,14 +336,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -354,10 +352,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -372,27 +370,27 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 fi - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_issue":{"expires":24,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[workflow-style] \". Labels [\"cookie\"] will be automatically added.", @@ -538,7 +536,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_issue": { "defaultMax": 1, @@ -656,8 +654,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -668,7 +666,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -698,7 +696,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -745,7 +743,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -782,7 +780,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -820,15 +818,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -838,7 +836,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -855,9 +853,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -866,18 +864,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -952,9 +950,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1004,9 +1002,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1049,6 +1047,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-normalizer" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1063,8 +1063,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1089,9 +1087,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1103,9 +1101,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1126,9 +1124,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1144,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1160,6 +1158,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-normalizer" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_TRACKER_ID: "workflow-normalizer" GH_AW_WORKFLOW_ID: "workflow-normalizer" GH_AW_WORKFLOW_NAME: "Workflow Normalizer" @@ -1182,8 +1181,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1209,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 19f6b87859..b0ac6f60df 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -63,8 +63,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: @@ -86,11 +84,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -108,9 +106,9 @@ jobs: GH_AW_WORKFLOW_FILE: "workflow-skill-extractor.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -125,15 +123,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: create_issue, create_discussion, missing_tool, missing_data, noop @@ -183,9 +181,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -201,10 +199,10 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -223,11 +221,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -253,10 +251,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_HOME: /opt/gh-aw GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowskillextractor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,14 +273,16 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -307,14 +305,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -323,21 +321,21 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"create_discussion":{"expires":168,"max":1},"create_issue":{"expires":48,"group":true,"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + cat > ${GH_AW_HOME}/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[refactoring] \". Labels [\"refactoring\" \"shared-component\" \"improvement\" \"cookie\"] will be automatically added.", @@ -517,7 +515,7 @@ jobs: } ] GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + cat > ${GH_AW_HOME}/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "create_discussion": { "defaultMax": 1, @@ -661,8 +659,8 @@ jobs: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -673,7 +671,7 @@ jobs: export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - bash /opt/gh-aw/actions/start_safe_outputs_server.sh + bash ${GH_AW_HOME}/actions/start_safe_outputs_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -702,7 +700,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -737,7 +735,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -794,7 +792,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -832,15 +830,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -850,7 +848,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -867,9 +865,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -878,18 +876,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -964,9 +962,9 @@ jobs: HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1016,9 +1014,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -1062,6 +1060,8 @@ jobs: concurrency: group: "gh-aw-conclusion-workflow-skill-extractor" cancel-in-progress: false + env: + GH_AW_HOME: /opt/gh-aw outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1076,8 +1076,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1101,9 +1099,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1114,9 +1112,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure @@ -1138,9 +1136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message @@ -1155,9 +1153,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/handle_noop_message.cjs'); await main(); safe_outputs: @@ -1172,6 +1170,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-skill-extractor" GH_AW_ENGINE_ID: "copilot" + GH_AW_HOME: /opt/gh-aw GH_AW_WORKFLOW_ID: "workflow-skill-extractor" GH_AW_WORKFLOW_NAME: "Workflow Skill Extractor" outputs: @@ -1193,8 +1192,6 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1220,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/pkg/workflow/compiler_safe_outputs_job.go b/pkg/workflow/compiler_safe_outputs_job.go index 75eed2f444..df7dde2c4c 100644 --- a/pkg/workflow/compiler_safe_outputs_job.go +++ b/pkg/workflow/compiler_safe_outputs_job.go @@ -269,11 +269,11 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa insertIndex += 6 // Checkout step (6 lines: name, uses, with, sparse-checkout header, actions, persist-credentials) } enableCustomTokensForInsert := c.hasCustomTokenSafeOutputs(data.SafeOutputs) -if enableCustomTokensForInsert { -insertIndex += 4 // Setup step with custom tokens (4 lines: name, uses, with, safe-output-custom-tokens) -} else { -insertIndex += 2 // Setup step without custom tokens (2 lines: name, uses) -} + if enableCustomTokensForInsert { + insertIndex += 4 // Setup step with custom tokens (4 lines: name, uses, with, safe-output-custom-tokens) + } else { + insertIndex += 2 // Setup step without custom tokens (2 lines: name, uses) + } } // Add artifact download steps count diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index 0bd8b79507..d0f4eb9e45 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -675,7 +675,7 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna step.WriteString(" const { setupGlobals } = require(" + JsRequireGhAw("actions/setup_globals.cjs") + ");\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript script with proper indentation - formattedScript := FormatJavaScriptForYAML("const { main } = require("+JsRequireGhAw("actions/push_repo_memory.cjs")+"); await main();") + formattedScript := FormatJavaScriptForYAML("const { main } = require(" + JsRequireGhAw("actions/push_repo_memory.cjs") + "); await main();") for _, line := range formattedScript { step.WriteString(line) } diff --git a/pkg/workflow/safe_jobs.go b/pkg/workflow/safe_jobs.go index b81a2c8d90..cfd9a2b459 100644 --- a/pkg/workflow/safe_jobs.go +++ b/pkg/workflow/safe_jobs.go @@ -237,7 +237,7 @@ func (c *Compiler) buildSafeJobs(data *WorkflowData, threatDetectionEnabled bool // Add environment variables step with GH_AW_AGENT_OUTPUT and job-specific env vars steps = append(steps, " - name: Setup Safe Job Environment Variables\n") steps = append(steps, " run: |\n") - steps = append(steps, " find \"" + GhAwHomeExpr + "/safe-jobs/\" -type f -print\n") + steps = append(steps, " find \""+GhAwHomeExpr+"/safe-jobs/\" -type f -print\n") // Configure GH_AW_AGENT_OUTPUT to point to downloaded artifact file steps = append(steps, fmt.Sprintf(" echo \"GH_AW_AGENT_OUTPUT=%s\" >> \"$GITHUB_ENV\"\n", agentOutputArtifactFilename)) From b0a4edde0bebf5ef0174e41686fe8043c5540533 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 22:58:29 +0000 Subject: [PATCH 5/6] fix: address all PR review comments - quoting, paths, GH_AW_HOME override, JS require() fixes Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 8 +- .../agent-performance-analyzer.lock.yml | 27 ++++-- .../workflows/agent-persona-explorer.lock.yml | 25 ++++- .github/workflows/agentics-maintenance.yml | 36 +++---- .github/workflows/ai-moderator.lock.yml | 25 ++++- .github/workflows/archie.lock.yml | 23 ++++- .github/workflows/artifacts-summary.lock.yml | 21 ++++- .github/workflows/audit-workflows.lock.yml | 29 ++++-- .github/workflows/auto-triage-issues.lock.yml | 23 ++++- .github/workflows/blog-auditor.lock.yml | 21 ++++- .github/workflows/bot-detection.lock.yml | 21 ++++- .github/workflows/brave.lock.yml | 23 ++++- .../breaking-change-checker.lock.yml | 23 ++++- .github/workflows/changeset.lock.yml | 23 ++++- .../workflows/chroma-issue-indexer.lock.yml | 6 +- .github/workflows/ci-coach.lock.yml | 23 ++++- .github/workflows/ci-doctor.lock.yml | 25 ++++- .../claude-code-user-docs-review.lock.yml | 23 ++++- .../cli-consistency-checker.lock.yml | 21 ++++- .../workflows/cli-version-checker.lock.yml | 23 ++++- .github/workflows/cloclo.lock.yml | 25 ++++- .../workflows/code-scanning-fixer.lock.yml | 29 ++++-- .github/workflows/code-simplifier.lock.yml | 23 ++++- .../codex-github-remote-mcp-test.lock.yml | 6 +- .../commit-changes-analyzer.lock.yml | 21 ++++- .../constraint-solving-potd.lock.yml | 23 ++++- .github/workflows/contribution-check.lock.yml | 21 ++++- .../workflows/copilot-agent-analysis.lock.yml | 27 ++++-- .../copilot-cli-deep-research.lock.yml | 25 +++-- .../copilot-pr-merged-report.lock.yml | 23 ++++- .../copilot-pr-nlp-analysis.lock.yml | 29 ++++-- .../copilot-pr-prompt-analysis.lock.yml | 27 ++++-- .../copilot-session-insights.lock.yml | 29 ++++-- .github/workflows/craft.lock.yml | 23 ++++- .../daily-architecture-diagram.lock.yml | 23 ++++- .../daily-assign-issue-to-user.lock.yml | 21 ++++- .github/workflows/daily-choice-test.lock.yml | 21 ++++- .../workflows/daily-cli-performance.lock.yml | 25 +++-- .../workflows/daily-cli-tools-tester.lock.yml | 21 ++++- .github/workflows/daily-code-metrics.lock.yml | 29 ++++-- .../workflows/daily-compiler-quality.lock.yml | 23 ++++- .../daily-copilot-token-report.lock.yml | 29 ++++-- .github/workflows/daily-doc-healer.lock.yml | 23 ++++- .github/workflows/daily-doc-updater.lock.yml | 23 ++++- .github/workflows/daily-fact.lock.yml | 21 ++++- .github/workflows/daily-file-diet.lock.yml | 23 ++++- .../workflows/daily-firewall-report.lock.yml | 25 ++++- .../workflows/daily-function-namer.lock.yml | 23 ++++- .../workflows/daily-issues-report.lock.yml | 27 +++++- .../daily-malicious-code-scan.lock.yml | 21 ++++- .../daily-mcp-concurrency-analysis.lock.yml | 27 ++++-- .../daily-multi-device-docs-tester.lock.yml | 23 ++++- .github/workflows/daily-news.lock.yml | 29 ++++-- .../daily-observability-report.lock.yml | 23 ++++- .../daily-performance-summary.lock.yml | 25 ++++- .github/workflows/daily-regulatory.lock.yml | 21 ++++- .../daily-rendering-scripts-verifier.lock.yml | 25 ++++- .../workflows/daily-repo-chronicle.lock.yml | 25 ++++- .../daily-safe-output-optimizer.lock.yml | 25 ++++- .../daily-safe-outputs-conformance.lock.yml | 21 ++++- .../workflows/daily-secrets-analysis.lock.yml | 21 ++++- .../daily-security-red-team.lock.yml | 21 ++++- .github/workflows/daily-semgrep-scan.lock.yml | 21 ++++- .../daily-syntax-error-quality.lock.yml | 21 ++++- .../daily-team-evolution-insights.lock.yml | 21 ++++- .github/workflows/daily-team-status.lock.yml | 23 ++++- .../daily-testify-uber-super-expert.lock.yml | 27 ++++-- .../workflows/daily-workflow-updater.lock.yml | 21 ++++- .github/workflows/dead-code-remover.lock.yml | 25 ++++- .github/workflows/deep-report.lock.yml | 29 ++++-- .github/workflows/delight.lock.yml | 25 +++-- .github/workflows/dependabot-burner.lock.yml | 23 ++++- .../workflows/dependabot-go-checker.lock.yml | 21 ++++- .github/workflows/dev-hawk.lock.yml | 23 ++++- .github/workflows/dev.lock.yml | 21 ++++- .../developer-docs-consolidator.lock.yml | 27 ++++-- .github/workflows/dictation-prompt.lock.yml | 21 ++++- .../workflows/discussion-task-miner.lock.yml | 25 +++-- .github/workflows/docs-noob-tester.lock.yml | 23 ++++- .github/workflows/draft-pr-cleanup.lock.yml | 21 ++++- .../duplicate-code-detector.lock.yml | 21 ++++- .../example-permissions-warning.lock.yml | 6 +- .../example-workflow-analyzer.lock.yml | 21 ++++- .github/workflows/firewall-escape.lock.yml | 29 ++++-- .github/workflows/firewall.lock.yml | 6 +- .../workflows/functional-pragmatist.lock.yml | 21 ++++- .../github-mcp-structural-analysis.lock.yml | 25 ++++- .../github-mcp-tools-report.lock.yml | 23 ++++- .../github-remote-mcp-auth-test.lock.yml | 21 ++++- .../workflows/glossary-maintainer.lock.yml | 27 ++++-- .github/workflows/go-fan.lock.yml | 23 ++++- .github/workflows/go-logger.lock.yml | 23 ++++- .../workflows/go-pattern-detector.lock.yml | 21 ++++- .github/workflows/gpclean.lock.yml | 23 ++++- .github/workflows/grumpy-reviewer.lock.yml | 25 ++++- .github/workflows/hourly-ci-cleaner.lock.yml | 21 ++++- .../workflows/instructions-janitor.lock.yml | 23 ++++- .github/workflows/issue-arborist.lock.yml | 21 ++++- .github/workflows/issue-monster.lock.yml | 27 ++++-- .github/workflows/issue-triage-agent.lock.yml | 21 ++++- .github/workflows/jsweep.lock.yml | 23 ++++- .../workflows/layout-spec-maintainer.lock.yml | 21 ++++- .github/workflows/lockfile-stats.lock.yml | 23 ++++- .github/workflows/mcp-inspector.lock.yml | 23 ++++- .github/workflows/mergefest.lock.yml | 23 ++++- .github/workflows/metrics-collector.lock.yml | 12 ++- .../workflows/notion-issue-summary.lock.yml | 21 ++++- .github/workflows/org-health-report.lock.yml | 25 ++++- .github/workflows/pdf-summary.lock.yml | 25 ++++- .github/workflows/plan.lock.yml | 23 ++++- .github/workflows/poem-bot.lock.yml | 31 +++++-- .github/workflows/portfolio-analyst.lock.yml | 25 ++++- .../workflows/pr-nitpick-reviewer.lock.yml | 25 ++++- .github/workflows/pr-triage-agent.lock.yml | 25 +++-- .../prompt-clustering-analysis.lock.yml | 23 ++++- .github/workflows/python-data-charts.lock.yml | 25 ++++- .github/workflows/q.lock.yml | 25 ++++- .github/workflows/refiner.lock.yml | 23 ++++- .github/workflows/release.lock.yml | 23 ++++- .../workflows/repo-audit-analyzer.lock.yml | 23 ++++- .github/workflows/repo-tree-map.lock.yml | 21 ++++- .../repository-quality-improver.lock.yml | 23 ++++- .github/workflows/research.lock.yml | 21 ++++- .github/workflows/safe-output-health.lock.yml | 23 ++++- .../schema-consistency-checker.lock.yml | 23 ++++- .github/workflows/scout.lock.yml | 25 ++++- ...ecurity-alert-burndown.campaign.g.lock.yml | 24 +++-- .../workflows/security-compliance.lock.yml | 25 +++-- .github/workflows/security-review.lock.yml | 25 ++++- .../semantic-function-refactor.lock.yml | 21 ++++- .github/workflows/sergo.lock.yml | 23 ++++- .../workflows/slide-deck-maintainer.lock.yml | 25 ++++- .../workflows/smoke-agent-all-merged.lock.yml | 23 ++++- .../workflows/smoke-agent-all-none.lock.yml | 23 ++++- .../smoke-agent-public-approved.lock.yml | 27 ++++-- .../smoke-agent-public-none.lock.yml | 23 ++++- .../smoke-agent-scoped-approved.lock.yml | 23 ++++- .../workflows/smoke-call-workflow.lock.yml | 23 ++++- .github/workflows/smoke-claude.lock.yml | 25 ++++- .github/workflows/smoke-codex.lock.yml | 25 ++++- .github/workflows/smoke-copilot-arm.lock.yml | 25 ++++- .github/workflows/smoke-copilot.lock.yml | 25 ++++- .../smoke-create-cross-repo-pr.lock.yml | 22 ++++- .github/workflows/smoke-gemini.lock.yml | 25 ++++- .github/workflows/smoke-multi-pr.lock.yml | 23 ++++- .github/workflows/smoke-project.lock.yml | 22 ++++- .github/workflows/smoke-temporary-id.lock.yml | 23 ++++- .github/workflows/smoke-test-tools.lock.yml | 23 ++++- .../smoke-update-cross-repo-pr.lock.yml | 24 ++++- .../smoke-workflow-call-with-inputs.lock.yml | 25 +++-- .../workflows/smoke-workflow-call.lock.yml | 25 +++-- .../workflows/stale-repo-identifier.lock.yml | 25 ++++- .../workflows/static-analysis-report.lock.yml | 23 ++++- .../workflows/step-name-alignment.lock.yml | 23 ++++- .github/workflows/sub-issue-closer.lock.yml | 21 ++++- .github/workflows/super-linter.lock.yml | 23 ++++- .../workflows/technical-doc-writer.lock.yml | 29 ++++-- .github/workflows/terminal-stylist.lock.yml | 21 ++++- .../test-create-pr-error-handling.lock.yml | 23 ++++- .github/workflows/test-dispatcher.lock.yml | 21 ++++- .../test-project-url-default.lock.yml | 20 +++- .github/workflows/test-workflow.lock.yml | 6 +- .github/workflows/tidy.lock.yml | 23 ++++- .github/workflows/typist.lock.yml | 21 ++++- .../workflows/ubuntu-image-analyzer.lock.yml | 23 ++++- .github/workflows/unbloat-docs.lock.yml | 27 +++++- .github/workflows/video-analyzer.lock.yml | 21 ++++- .../weekly-editors-health-check.lock.yml | 23 ++++- .../workflows/weekly-issue-summary.lock.yml | 25 ++++- .../weekly-safe-outputs-spec-review.lock.yml | 21 ++++- .github/workflows/workflow-generator.lock.yml | 29 ++++-- .../workflow-health-manager.lock.yml | 27 ++++-- .../workflows/workflow-normalizer.lock.yml | 21 ++++- .../workflow-skill-extractor.lock.yml | 21 ++++- actions/setup/setup.sh | 2 + actions/setup/sh/start_mcp_gateway.sh | 12 +-- actions/setup/sh/start_mcp_scripts_server.sh | 8 +- actions/setup/sh/start_safe_outputs_server.sh | 8 +- pkg/constants/constants.go | 5 +- pkg/workflow/agentic_output_test.go | 8 +- pkg/workflow/agentic_workflow_test.go | 2 +- pkg/workflow/aw_info_tmp_test.go | 2 +- pkg/workflow/cache_memory_integration_test.go | 2 +- pkg/workflow/cjs_require_validation_test.go | 4 +- pkg/workflow/codex_engine_test.go | 2 +- pkg/workflow/compiler_custom_actions_test.go | 2 +- pkg/workflow/compiler_main_job.go | 10 +- pkg/workflow/compiler_safe_outputs_job.go | 5 +- .../compiler_safe_outputs_specialized.go | 2 +- pkg/workflow/compiler_safe_outputs_steps.go | 10 +- .../compiler_safe_outputs_steps_test.go | 4 +- pkg/workflow/compiler_workflow_call.go | 2 +- pkg/workflow/compiler_yaml_helpers.go | 12 ++- pkg/workflow/compiler_yaml_main_job_test.go | 2 +- pkg/workflow/copilot_installer_test.go | 12 +-- pkg/workflow/detection_success_test.go | 2 +- pkg/workflow/docker_predownload_test.go | 4 +- pkg/workflow/engine_helpers_shared_test.go | 4 +- pkg/workflow/engine_includes_test.go | 2 +- pkg/workflow/firewall_version_pinning_test.go | 6 +- pkg/workflow/git_config_test.go | 2 +- pkg/workflow/importable_tools_test.go | 2 +- pkg/workflow/inference_access_error_test.go | 2 +- pkg/workflow/main_job_env_test.go | 7 +- pkg/workflow/maintenance_workflow.go | 36 +++---- pkg/workflow/mcp_config_compilation_test.go | 2 +- pkg/workflow/mcp_config_refactor_test.go | 34 +++---- pkg/workflow/mcp_renderer_test.go | 4 +- pkg/workflow/mcp_scripts_generator_test.go | 2 +- pkg/workflow/mcp_scripts_http_codex_test.go | 2 +- pkg/workflow/mcp_scripts_mode_test.go | 2 +- pkg/workflow/notify_comment.go | 2 +- pkg/workflow/pr_checkout_test.go | 4 +- pkg/workflow/prompts_test.go | 8 +- pkg/workflow/repo_memory.go | 2 +- pkg/workflow/repo_memory_integration_test.go | 4 +- pkg/workflow/repo_memory_test.go | 2 +- .../safe_outputs_mcp_integration_test.go | 8 +- pkg/workflow/secret_validation_test.go | 10 +- pkg/workflow/setup_action_paths.go | 10 +- .../step_order_validation_integration_test.go | 2 +- pkg/workflow/step_order_validation_test.go | 2 +- pkg/workflow/step_summary_test.go | 4 +- pkg/workflow/temp_folder_test.go | 2 +- .../template_injection_validation_test.go | 6 +- pkg/workflow/template_rendering_test.go | 4 +- .../basic-copilot.golden | 79 ++++++++-------- .../smoke-copilot.golden | 93 ++++++++++--------- .../with-imports.golden | 79 ++++++++-------- pkg/workflow/threat_detection_test.go | 2 +- 230 files changed, 3409 insertions(+), 1150 deletions(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 225fb68e2c..5fad5489b1 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -70,6 +70,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,7 +273,7 @@ jobs: issues: read pull-requests: read env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: aceeditor outputs: inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error || 'false' }} @@ -286,6 +288,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -567,6 +571,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 91adcfc78d..4bb2c68bac 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -265,8 +267,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: agentperformanceanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,6 +292,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1214,7 +1221,7 @@ jobs: group: "gh-aw-conclusion-agent-performance-analyzer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1229,6 +1236,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1331,6 +1340,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1354,7 +1365,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1369,6 +1380,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1429,7 +1442,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agent-performance-analyzer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "agent-performance-analyzer" GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator" outputs: @@ -1453,6 +1466,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1478,9 +1493,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 4d1a5c7402..3e8b336018 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +265,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: agentpersonaexplorer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1055,7 +1062,7 @@ jobs: group: "gh-aw-conclusion-agent-persona-explorer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1070,6 +1077,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1169,6 +1178,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1194,7 +1205,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agent-persona-explorer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "agent-persona-explorer" GH_AW_WORKFLOW_NAME: "Agent Persona Explorer" outputs: @@ -1214,6 +1225,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1239,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1270,6 +1283,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index 211c2d107f..853959aed2 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -71,33 +71,33 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Close expired discussions uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/close_expired_discussions.cjs'); await main(); - name: Close expired issues uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/close_expired_issues.cjs'); await main(); - name: Close expired pull requests uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_pull_requests.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/close_expired_pull_requests.cjs'); await main(); run_operation: @@ -116,16 +116,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check admin/maintainer permissions uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_team_member.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_team_member.cjs'); await main(); - name: Setup Go @@ -146,9 +146,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/run_operation_update_upgrade.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/run_operation_update_upgrade.cjs'); await main(); compile-workflows: @@ -180,15 +180,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check for out-of-sync workflows and create issue if needed uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_recompile_needed.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_recompile_needed.cjs'); await main(); zizmor-scan: @@ -236,7 +236,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Validate Secrets uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -254,9 +254,9 @@ jobs: NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/validate_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/validate_secrets.cjs'); await main(); - name: Upload secret validation report diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index df0ba85124..8e182db7dc 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -83,6 +83,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -299,8 +301,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: aimoderator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -318,6 +323,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Create gh-aw temp directory run: | bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh @@ -948,7 +955,7 @@ jobs: group: "gh-aw-conclusion-ai-moderator" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -963,6 +970,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1060,6 +1069,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check user rate limit id: check_rate_limit uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1117,7 +1128,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ai-moderator" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "ai-moderator" GH_AW_WORKFLOW_NAME: "AI Moderator" outputs: @@ -1137,6 +1148,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1162,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1194,6 +1207,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 26e8ac4b7d..a7f25e3d70 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -87,6 +87,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -312,8 +314,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: archie outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -334,6 +339,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1026,7 +1033,7 @@ jobs: group: "gh-aw-conclusion-archie" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1041,6 +1048,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1144,6 +1153,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1181,7 +1192,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/archie" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *Diagram rendered by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔧 *Workflow sync report by [{workflow_name}]({run_url}) for {repository}*\",\"footerWorkflowRecompileComment\":\"\\u003e 🔄 *Update from [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"📐 [{workflow_name}]({run_url}) is analyzing the architecture for this {event_type}...\",\"runSuccess\":\"🎨 [{workflow_name}]({run_url}) has completed the architecture visualization. ✅\",\"runFailure\":\"📐 [{workflow_name}]({run_url}) encountered an issue and could not complete the architecture diagram. Check the [run logs]({run_url}) for details.\"}" GH_AW_WORKFLOW_ID: "archie" GH_AW_WORKFLOW_NAME: "Archie" @@ -1204,6 +1215,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1229,9 +1242,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 0e9ac160f0..a0a8c937c2 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -249,8 +251,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: artifactssummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -271,6 +276,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -958,7 +965,7 @@ jobs: group: "gh-aw-conclusion-artifacts-summary" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -973,6 +980,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1066,7 +1075,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/artifacts-summary" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "artifacts-summary" GH_AW_WORKFLOW_NAME: "Artifacts Summary" outputs: @@ -1086,6 +1095,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1111,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 31ae971cad..0b934269a9 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -283,8 +285,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: auditworkflows outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -304,6 +309,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1245,7 +1252,7 @@ jobs: group: "gh-aw-conclusion-audit-workflows" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1260,6 +1267,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1359,7 +1368,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1374,6 +1383,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1433,7 +1444,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/audit-workflows" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "audit-workflows-daily" GH_AW_WORKFLOW_ID: "audit-workflows" GH_AW_WORKFLOW_NAME: "Agentic Workflow Audit Agent" @@ -1454,6 +1465,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1479,9 +1492,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1510,6 +1523,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1553,6 +1568,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 590527e85f..b3879ea19a 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -71,6 +71,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -262,8 +264,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: autotriageissues outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,6 +289,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1036,7 +1043,7 @@ jobs: group: "gh-aw-conclusion-auto-triage-issues" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1051,6 +1058,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1150,6 +1159,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1191,7 +1202,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/auto-triage-issues" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "auto-triage-issues" GH_AW_WORKFLOW_NAME: "Auto-Triage Issues" outputs: @@ -1211,6 +1222,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1236,9 +1249,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 4cf00024b5..d1392551f0 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -257,8 +259,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: blogauditor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,6 +283,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1079,7 +1086,7 @@ jobs: group: "gh-aw-conclusion-blog-auditor" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1094,6 +1101,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1191,7 +1200,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/blog-auditor" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "blog-auditor-weekly" GH_AW_WORKFLOW_ID: "blog-auditor" GH_AW_WORKFLOW_NAME: "Blog Auditor" @@ -1212,6 +1221,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1237,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index bd64d8c8c5..f4fec8a658 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -60,6 +60,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -265,8 +267,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: botdetection outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -994,7 +1001,7 @@ jobs: group: "gh-aw-conclusion-bot-detection" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1009,6 +1016,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1898,7 +1907,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/bot-detection" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "bot-detection" GH_AW_WORKFLOW_NAME: "Bot Detection" outputs: @@ -1920,6 +1929,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1945,9 +1956,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 2fced7a102..8dc2da31d4 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -296,8 +298,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: brave outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -318,6 +323,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1014,7 +1021,7 @@ jobs: group: "gh-aw-conclusion-brave" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1029,6 +1036,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,6 +1138,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1166,7 +1177,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/brave" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦁 *Search results brought to you by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🔄 *Maintenance report by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔍 Brave Search activated! [{workflow_name}]({run_url}) is venturing into the web on this {event_type}...\",\"runSuccess\":\"🦁 Mission accomplished! [{workflow_name}]({run_url}) has returned with the findings. Knowledge acquired! 🏆\",\"runFailure\":\"🔍 Search interrupted! [{workflow_name}]({run_url}) {status}. The web remains unexplored...\"}" GH_AW_WORKFLOW_ID: "brave" GH_AW_WORKFLOW_NAME: "Brave Web Search Agent" @@ -1189,6 +1200,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1214,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 9bac7821a7..d8b89145e0 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -255,8 +257,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: breakingchangechecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,6 +282,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1005,7 +1012,7 @@ jobs: group: "gh-aw-conclusion-breaking-change-checker" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1020,6 +1027,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1121,6 +1130,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1158,7 +1169,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/breaking-change-checker" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚠️ *Compatibility report by [{workflow_name}]({run_url})*{history_link}\",\"footerWorkflowRecompile\":\"\\u003e 🛠️ *Workflow maintenance by [{workflow_name}]({run_url}) for {repository}*\",\"runStarted\":\"🔬 Breaking Change Checker online! [{workflow_name}]({run_url}) is analyzing API compatibility on this {event_type}...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has reviewed all changes. Compatibility verdict delivered! 📋\",\"runFailure\":\"🔬 Analysis interrupted! [{workflow_name}]({run_url}) {status}. Compatibility status unknown...\"}" GH_AW_TRACKER_ID: "breaking-change-checker" GH_AW_WORKFLOW_ID: "breaking-change-checker" @@ -1182,6 +1193,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1208,9 +1221,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index e8014872df..06c7c651b4 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -81,6 +81,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -310,8 +312,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: changeset outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -331,6 +336,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1059,7 +1066,7 @@ jobs: group: "gh-aw-conclusion-changeset" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1074,6 +1081,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1176,6 +1185,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1203,7 +1214,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/changeset" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "changeset" GH_AW_WORKFLOW_NAME: "Changeset Generator" outputs: @@ -1225,6 +1236,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1279,9 +1292,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index 8c96b450c3..115bebb51b 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -61,6 +61,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -245,7 +247,7 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: chromaissueindexer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -261,6 +263,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 5dfc50e547..72dc253940 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -272,8 +274,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cicoach outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -294,6 +299,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1063,7 +1070,7 @@ jobs: group: "gh-aw-conclusion-ci-coach" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1078,6 +1085,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1192,7 +1201,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ci-coach" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "ci-coach-daily" GH_AW_WORKFLOW_ID: "ci-coach" GH_AW_WORKFLOW_NAME: "CI Optimization Coach" @@ -1215,6 +1224,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1269,9 +1280,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1300,6 +1311,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index db841ade20..0211714d1d 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -292,8 +294,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cidoctor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -314,6 +319,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1228,7 +1235,7 @@ jobs: group: "gh-aw-conclusion-ci-doctor" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1243,6 +1250,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1350,6 +1359,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1389,7 +1400,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ci-doctor" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🩺 *Diagnosis provided by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏥 CI Doctor reporting for duty! [{workflow_name}]({run_url}) is examining the patient on this {event_type}...\",\"runSuccess\":\"🩺 Examination complete! [{workflow_name}]({run_url}) has delivered the diagnosis. Prescription issued! 💊\",\"runFailure\":\"🏥 Medical emergency! [{workflow_name}]({run_url}) {status}. Doctor needs assistance...\"}" GH_AW_WORKFLOW_ID: "ci-doctor" GH_AW_WORKFLOW_NAME: "CI Failure Doctor" @@ -1416,6 +1427,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1441,9 +1454,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1472,6 +1485,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 732170a18b..83b463bd76 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -262,8 +264,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: claudecodeuserdocsreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,6 +288,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1047,7 +1054,7 @@ jobs: group: "gh-aw-conclusion-claude-code-user-docs-review" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1062,6 +1069,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1159,7 +1168,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/claude-code-user-docs-review" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "claude-code-user-docs-review" GH_AW_WORKFLOW_ID: "claude-code-user-docs-review" GH_AW_WORKFLOW_NAME: "Claude Code User Documentation Review" @@ -1180,6 +1189,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1205,9 +1216,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1236,6 +1247,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index a6528c7b3e..57f5758596 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -57,6 +57,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -240,8 +242,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cliconsistencychecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -262,6 +267,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -970,7 +977,7 @@ jobs: group: "gh-aw-conclusion-cli-consistency-checker" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -985,6 +992,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1075,7 +1084,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cli-consistency-checker" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "cli-consistency-checker" GH_AW_WORKFLOW_NAME: "CLI Consistency Checker" outputs: @@ -1097,6 +1106,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,9 +1133,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 9ea4bbf83a..2a1decb014 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +265,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cliversionchecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,6 +289,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1073,7 +1080,7 @@ jobs: group: "gh-aw-conclusion-cli-version-checker" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1088,6 +1095,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1178,7 +1187,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cli-version-checker" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "cli-version-checker" GH_AW_WORKFLOW_NAME: "CLI Version Checker" outputs: @@ -1200,6 +1209,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1225,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1256,6 +1267,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 1b5a9303d1..6b165272eb 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -111,6 +111,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -369,8 +371,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: cloclo outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -390,6 +395,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1384,7 +1391,7 @@ jobs: group: "gh-aw-conclusion-cloclo" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1399,6 +1406,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1528,6 +1537,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1567,7 +1578,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/cloclo" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎤 *Magnifique! Performance by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎵 Comme d'habitude! [{workflow_name}]({run_url}) takes the stage on this {event_type}...\",\"runSuccess\":\"🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟\",\"runFailure\":\"🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!\"}" GH_AW_WORKFLOW_ID: "cloclo" GH_AW_WORKFLOW_NAME: "/cloclo" @@ -1592,6 +1603,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1646,9 +1659,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1677,6 +1690,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index fb1a93ab60..48cf5802ff 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -260,8 +262,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: codescanningfixer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,6 +287,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1096,7 +1103,7 @@ jobs: group: "gh-aw-conclusion-code-scanning-fixer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1111,6 +1118,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1227,6 +1236,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1263,7 +1274,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.patch_size_exceeded }} validation_error_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_error }} @@ -1278,6 +1289,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1339,7 +1352,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/code-scanning-fixer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "code-scanning-fixer" GH_AW_WORKFLOW_NAME: "Code Scanning Fixer" outputs: @@ -1361,6 +1374,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1415,9 +1430,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1446,6 +1461,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index c837e6df9a..5bd8f7b651 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -67,6 +67,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -264,8 +266,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: codesimplifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,6 +291,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -998,7 +1005,7 @@ jobs: group: "gh-aw-conclusion-code-simplifier" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1013,6 +1020,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1131,6 +1140,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1171,7 +1182,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/code-simplifier" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "code-simplifier" GH_AW_WORKFLOW_ID: "code-simplifier" GH_AW_WORKFLOW_NAME: "Code Simplifier" @@ -1194,6 +1205,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1248,9 +1261,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index b3c9f60809..34f706ac74 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -56,6 +56,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -230,7 +232,7 @@ jobs: contents: read issues: read env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: codexgithubremotemcptest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -245,6 +247,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 28a58865ea..a79f9c5442 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -256,8 +258,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: commitchangesanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,6 +282,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1021,7 +1028,7 @@ jobs: group: "gh-aw-conclusion-commit-changes-analyzer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1036,6 +1043,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,7 +1138,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/commit-changes-analyzer" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "commit-changes-analyzer" GH_AW_WORKFLOW_NAME: "Commit Changes Analyzer" outputs: @@ -1149,6 +1158,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index e8e7932b8b..4371d8ad98 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -58,6 +58,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -248,8 +250,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: constraintsolvingpotd outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -269,6 +274,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -959,7 +966,7 @@ jobs: group: "gh-aw-conclusion-constraint-solving-potd" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -974,6 +981,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,7 +1076,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/constraint-solving-potd" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "constraint-solving-potd" GH_AW_WORKFLOW_NAME: "Constraint Solving — Problem of the Day" outputs: @@ -1087,6 +1096,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1112,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1143,6 +1154,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 75b8d39563..c985475927 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -61,6 +61,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -250,8 +252,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: contributioncheck outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,6 +277,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1072,7 +1079,7 @@ jobs: group: "gh-aw-conclusion-contribution-check" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1087,6 +1094,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1180,7 +1189,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/contribution-check" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "contribution-check" GH_AW_WORKFLOW_NAME: "Contribution Check" outputs: @@ -1204,6 +1213,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1229,9 +1240,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index e6d9fa2f80..d34f2c120f 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -66,6 +66,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -285,8 +287,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotagentanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,6 +311,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1113,7 +1120,7 @@ jobs: group: "gh-aw-conclusion-copilot-agent-analysis" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1128,6 +1135,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1223,7 +1232,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1238,6 +1247,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1297,7 +1308,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-agent-analysis" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "copilot-agent-analysis" GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" outputs: @@ -1317,6 +1328,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1342,9 +1355,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1373,6 +1386,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 63a2b40cca..60549dd631 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -264,8 +266,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotclideepresearch outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,6 +291,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1030,7 +1037,7 @@ jobs: group: "gh-aw-conclusion-copilot-cli-deep-research" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1045,6 +1052,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1140,7 +1149,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1155,6 +1164,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1214,7 +1225,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-cli-deep-research" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "copilot-cli-deep-research" GH_AW_WORKFLOW_NAME: "Copilot CLI Deep Research Agent" outputs: @@ -1234,6 +1245,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1259,9 +1272,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index f4f302f782..aee6ffd097 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -270,8 +272,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprmergedreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -292,6 +297,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1128,7 +1135,7 @@ jobs: group: "gh-aw-conclusion-copilot-pr-merged-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1143,6 +1150,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1236,7 +1245,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-merged-report" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "copilot-pr-merged-report" GH_AW_WORKFLOW_NAME: "Daily Copilot PR Merged Report" outputs: @@ -1256,6 +1265,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1281,9 +1292,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1312,6 +1323,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index fd30541519..5a31c943a4 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -286,8 +288,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprnlpanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -308,6 +313,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1134,7 +1141,7 @@ jobs: group: "gh-aw-conclusion-copilot-pr-nlp-analysis" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1149,6 +1156,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,7 +1253,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1259,6 +1268,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1318,7 +1329,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-nlp-analysis" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "copilot-pr-nlp-analysis" GH_AW_WORKFLOW_NAME: "Copilot PR Conversation NLP Analysis" outputs: @@ -1338,6 +1349,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1363,9 +1376,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1394,6 +1407,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1437,6 +1452,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index b72750bab8..495bdc0de4 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotprpromptanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -303,6 +308,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1050,7 +1057,7 @@ jobs: group: "gh-aw-conclusion-copilot-pr-prompt-analysis" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1065,6 +1072,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1160,7 +1169,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1175,6 +1184,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1234,7 +1245,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-pr-prompt-analysis" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "copilot-pr-prompt-analysis" GH_AW_WORKFLOW_NAME: "Copilot PR Prompt Pattern Analysis" outputs: @@ -1254,6 +1265,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1279,9 +1292,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1310,6 +1323,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 4a197508f3..69867f809d 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -68,6 +68,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -300,8 +302,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: copilotsessioninsights outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -321,6 +326,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1200,7 +1207,7 @@ jobs: group: "gh-aw-conclusion-copilot-session-insights" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1215,6 +1222,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1310,7 +1319,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1325,6 +1334,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1384,7 +1395,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/copilot-session-insights" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "copilot-session-insights" GH_AW_WORKFLOW_NAME: "Copilot Session Insights" outputs: @@ -1404,6 +1415,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1429,9 +1442,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1460,6 +1473,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1503,6 +1518,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index d458d94a83..dbf4ea152f 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -70,6 +70,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -289,8 +291,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: craft outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -311,6 +316,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1057,7 +1064,7 @@ jobs: group: "gh-aw-conclusion-craft" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1072,6 +1079,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1173,6 +1182,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1212,7 +1223,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/craft" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚒️ *Crafted with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🛠️ Master Crafter at work! [{workflow_name}]({run_url}) is forging a new workflow on this {event_type}...\",\"runSuccess\":\"⚒️ Masterpiece complete! [{workflow_name}]({run_url}) has crafted your workflow. May it serve you well! 🎖️\",\"runFailure\":\"🛠️ Forge cooling down! [{workflow_name}]({run_url}) {status}. The anvil awaits another attempt...\"}" GH_AW_WORKFLOW_ID: "craft" GH_AW_WORKFLOW_NAME: "Workflow Craft Agent" @@ -1237,6 +1248,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1291,9 +1304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index d85df02eaf..3ecae57956 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -255,8 +257,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyarchitecturediagram outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,6 +282,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1089,7 +1096,7 @@ jobs: group: "gh-aw-conclusion-daily-architecture-diagram" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1104,6 +1111,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1213,7 +1222,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-architecture-diagram" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "daily-architecture-diagram" GH_AW_WORKFLOW_NAME: "Architecture Diagram Generator" outputs: @@ -1237,6 +1246,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1291,9 +1302,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1322,6 +1333,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index f83bd55f7f..11613f3f5a 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -57,6 +57,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -237,8 +239,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyassignissuetouser outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -259,6 +264,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1003,7 +1010,7 @@ jobs: group: "gh-aw-conclusion-daily-assign-issue-to-user" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1018,6 +1025,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1110,7 +1119,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-assign-issue-to-user" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "daily-assign-issue-to-user" GH_AW_WORKFLOW_NAME: "Auto-Assign Issue" outputs: @@ -1133,6 +1142,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1158,9 +1169,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 5badc950d0..0ecb401b13 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -58,6 +58,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -242,8 +244,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailychoicetest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -263,6 +268,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -975,7 +982,7 @@ jobs: group: "gh-aw-conclusion-daily-choice-test" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -990,6 +997,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1081,7 +1090,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-choice-test" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUTS_STAGED: "true" GH_AW_TRACKER_ID: "daily-choice-test" GH_AW_WORKFLOW_ID: "daily-choice-test" @@ -1103,6 +1112,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); test_environment: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 12896d63ea..32b0336ae2 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -269,8 +271,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycliperformance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,6 +296,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1235,7 +1242,7 @@ jobs: group: "gh-aw-conclusion-daily-cli-performance" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1250,6 +1257,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1347,7 +1356,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1362,6 +1371,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1422,7 +1433,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-cli-performance" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-cli-performance" GH_AW_WORKFLOW_ID: "daily-cli-performance" GH_AW_WORKFLOW_NAME: "Daily CLI Performance Agent" @@ -1447,6 +1458,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1472,9 +1485,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 197cf8002d..63d8ff5b86 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -253,8 +255,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyclitoolstester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,6 +280,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1049,7 +1056,7 @@ jobs: group: "gh-aw-conclusion-daily-cli-tools-tester" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1064,6 +1071,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1155,7 +1164,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-cli-tools-tester" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "daily-cli-tools-tester" GH_AW_WORKFLOW_NAME: "Daily CLI Tools Exploratory Tester" outputs: @@ -1177,6 +1186,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1202,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index c6e8d5d338..520d021030 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycodemetrics outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -302,6 +307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1174,7 +1181,7 @@ jobs: group: "gh-aw-conclusion-daily-code-metrics" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1189,6 +1196,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1288,7 +1297,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1303,6 +1312,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1362,7 +1373,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-code-metrics" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-code-metrics" GH_AW_WORKFLOW_ID: "daily-code-metrics" GH_AW_WORKFLOW_NAME: "Daily Code Metrics and Trend Tracking Agent" @@ -1383,6 +1394,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1408,9 +1421,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1439,6 +1452,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1482,6 +1497,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index c0a4c7512c..8b3696fc21 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -258,8 +260,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycompilerquality outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,6 +285,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1013,7 +1020,7 @@ jobs: group: "gh-aw-conclusion-daily-compiler-quality" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1028,6 +1035,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1125,7 +1134,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-compiler-quality" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-compiler-quality" GH_AW_WORKFLOW_ID: "daily-compiler-quality" GH_AW_WORKFLOW_NAME: "Daily Compiler Quality Check" @@ -1146,6 +1155,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1171,9 +1182,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1202,6 +1213,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index bfbd40025f..2a0ab7f6e5 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -274,8 +276,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailycopilottokenreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -296,6 +301,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Create gh-aw temp directory run: | bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh @@ -1142,7 +1149,7 @@ jobs: group: "gh-aw-conclusion-daily-copilot-token-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1157,6 +1164,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1256,7 +1265,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1271,6 +1280,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1330,7 +1341,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-copilot-token-report" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-copilot-token-report" GH_AW_WORKFLOW_ID: "daily-copilot-token-report" GH_AW_WORKFLOW_NAME: "Daily Copilot Token Consumption Report" @@ -1351,6 +1362,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1376,9 +1389,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1407,6 +1420,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1450,6 +1465,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 45b227a9de..79f1a83ec0 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -265,8 +267,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailydochealer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,6 +291,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1319,7 +1326,7 @@ jobs: group: "gh-aw-conclusion-daily-doc-healer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1334,6 +1341,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1448,7 +1457,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-doc-healer" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-doc-healer" GH_AW_WORKFLOW_ID: "daily-doc-healer" GH_AW_WORKFLOW_NAME: "Daily Documentation Healer" @@ -1473,6 +1482,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1528,9 +1539,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' @@ -1571,6 +1582,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 985dcf4516..aefc237dd0 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -261,8 +263,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailydocupdater outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,6 +287,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1234,7 +1241,7 @@ jobs: group: "gh-aw-conclusion-daily-doc-updater" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1249,6 +1256,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1363,7 +1372,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-doc-updater" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-doc-updater" GH_AW_WORKFLOW_ID: "daily-doc-updater" GH_AW_WORKFLOW_NAME: "Daily Documentation Updater" @@ -1386,6 +1395,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1440,9 +1451,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1471,6 +1482,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 2139cb5a3b..422bc078c9 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -51,6 +51,8 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -230,8 +232,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfact outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -244,6 +249,8 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -912,7 +919,7 @@ jobs: group: "gh-aw-conclusion-daily-fact" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -920,6 +927,8 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1018,7 +1027,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-fact" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Penned with care by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 Hark! The muse awakens — [{workflow_name}]({run_url}) begins its verse upon this {event_type}...\",\"runSuccess\":\"✨ Lo! [{workflow_name}]({run_url}) hath woven its tale to completion, like a sonnet finding its final rhyme. 🌟\",\"runFailure\":\"🌧️ Alas! [{workflow_name}]({run_url}) {status}, its quill fallen mid-verse. The poem remains unfinished...\"}" GH_AW_TRACKER_ID: "daily-fact-thread" GH_AW_WORKFLOW_ID: "daily-fact" @@ -1035,6 +1044,8 @@ jobs: steps: - name: Setup Scripts uses: github/gh-aw/actions/setup@a70c5eada06553e3510ac27f2c3bda9d3705bccb # a70c5eada06553e3510ac27f2c3bda9d3705bccb + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1060,9 +1071,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 7dfff0a8cd..10cca95ed0 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -67,6 +67,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +265,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfilediet outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1023,7 +1030,7 @@ jobs: group: "gh-aw-conclusion-daily-file-diet" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1038,6 +1045,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1138,6 +1147,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1175,7 +1186,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-file-diet" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-file-diet" GH_AW_WORKFLOW_ID: "daily-file-diet" GH_AW_WORKFLOW_NAME: "Daily File Diet" @@ -1198,6 +1209,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1223,9 +1236,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index e8b1eb66ae..3f1e73d521 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -266,8 +268,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfirewallreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,6 +293,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1131,7 +1138,7 @@ jobs: group: "gh-aw-conclusion-daily-firewall-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1146,6 +1153,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,7 +1253,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-firewall-report" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-firewall-report" GH_AW_WORKFLOW_ID: "daily-firewall-report" GH_AW_WORKFLOW_NAME: "Daily Firewall Logs Collector and Reporter" @@ -1265,6 +1274,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1290,9 +1301,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1321,6 +1332,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1364,6 +1377,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 5072a5749c..b3f5f8ba0c 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -264,8 +266,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyfunctionnamer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1098,7 +1105,7 @@ jobs: group: "gh-aw-conclusion-daily-function-namer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1113,6 +1120,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1207,7 +1216,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-function-namer" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-function-namer" GH_AW_WORKFLOW_ID: "daily-function-namer" GH_AW_WORKFLOW_NAME: "Daily Go Function Namer" @@ -1230,6 +1239,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,9 +1266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1286,6 +1297,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index d3c71bfb5e..966a23bf77 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -69,6 +69,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +289,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyissuesreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -308,6 +313,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1135,7 +1142,7 @@ jobs: group: "gh-aw-conclusion-daily-issues-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1150,6 +1157,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1252,6 +1261,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1277,7 +1288,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-issues-report" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-issues-report" GH_AW_WORKFLOW_ID: "daily-issues-report" GH_AW_WORKFLOW_NAME: "Daily Issues Report Generator" @@ -1298,6 +1309,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1323,9 +1336,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1354,6 +1367,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1397,6 +1412,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 519882616d..25e8a889b9 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -246,8 +248,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymaliciouscodescan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -266,6 +271,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -868,7 +875,7 @@ jobs: group: "gh-aw-conclusion-daily-malicious-code-scan" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -883,6 +890,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -977,7 +986,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-malicious-code-scan" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "malicious-code-scan" GH_AW_WORKFLOW_ID: "daily-malicious-code-scan" GH_AW_WORKFLOW_NAME: "Daily Malicious Code Scan Agent" @@ -998,6 +1007,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1023,9 +1034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 86c4643f28..3a14e42eab 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -257,8 +259,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymcpconcurrencyanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,6 +284,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1074,7 +1081,7 @@ jobs: group: "gh-aw-conclusion-daily-mcp-concurrency-analysis" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1089,6 +1096,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1183,7 +1192,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-mcp-concurrency-analysis" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "mcp-concurrency-analysis" GH_AW_WORKFLOW_ID: "daily-mcp-concurrency-analysis" GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" @@ -1208,6 +1217,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1233,9 +1244,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -1246,9 +1257,9 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); + const { main } = require(process.env.GH_AW_HOME + '/actions/create_agent_session.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -1276,6 +1287,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 4d5617d6a7..811a03555a 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -69,6 +69,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -270,8 +272,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailymultidevicedocstester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,6 +296,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1166,7 +1173,7 @@ jobs: group: "gh-aw-conclusion-daily-multi-device-docs-tester" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1181,6 +1188,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,7 +1284,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-multi-device-docs-tester" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-multi-device-docs-tester" GH_AW_WORKFLOW_ID: "daily-multi-device-docs-tester" GH_AW_WORKFLOW_NAME: "Multi-Device Docs Tester" @@ -1298,6 +1307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1323,9 +1334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1355,6 +1366,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 8306487cbc..014257745c 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -285,8 +287,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailynews outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -307,6 +312,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1203,7 +1210,7 @@ jobs: group: "gh-aw-conclusion-daily-news" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1218,6 +1225,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1317,7 +1326,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1332,6 +1341,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1391,7 +1402,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-news" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-news-weekday" GH_AW_WORKFLOW_ID: "daily-news" GH_AW_WORKFLOW_NAME: "Daily News" @@ -1412,6 +1423,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1437,9 +1450,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1468,6 +1481,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1511,6 +1526,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 3ca83f722f..384ed76638 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -259,8 +261,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyobservabilityreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,6 +285,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1092,7 +1099,7 @@ jobs: group: "gh-aw-conclusion-daily-observability-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1107,6 +1114,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1209,6 +1218,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1234,7 +1245,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-observability-report" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-observability-report" GH_AW_WORKFLOW_ID: "daily-observability-report" GH_AW_WORKFLOW_NAME: "Daily Observability Report for AWF Firewall and MCP Gateway" @@ -1255,6 +1266,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1280,9 +1293,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index fb634b0a0f..cace521060 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,8 +273,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyperformancesummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -293,6 +298,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1615,7 +1622,7 @@ jobs: group: "gh-aw-conclusion-daily-performance-summary" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1630,6 +1637,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1728,7 +1737,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-performance-summary" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-performance-summary" GH_AW_WORKFLOW_ID: "daily-performance-summary" GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" @@ -1749,6 +1758,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1774,9 +1785,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1805,6 +1816,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1848,6 +1861,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 59d211d9f8..fc9e751a23 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -258,8 +260,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyregulatory outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,6 +285,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1512,7 +1519,7 @@ jobs: group: "gh-aw-conclusion-daily-regulatory" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1527,6 +1534,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1625,7 +1634,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-regulatory" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-regulatory" GH_AW_WORKFLOW_ID: "daily-regulatory" GH_AW_WORKFLOW_NAME: "Daily Regulatory Report Generator" @@ -1646,6 +1655,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1671,9 +1682,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index ff27072d54..9defc46f92 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -67,6 +67,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -272,8 +274,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyrenderingscriptsverifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -293,6 +298,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1179,7 +1186,7 @@ jobs: group: "gh-aw-conclusion-daily-rendering-scripts-verifier" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1194,6 +1201,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1311,6 +1320,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1351,7 +1362,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-rendering-scripts-verifier" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-rendering-scripts-verifier" GH_AW_WORKFLOW_ID: "daily-rendering-scripts-verifier" GH_AW_WORKFLOW_NAME: "Daily Rendering Scripts Verifier" @@ -1374,6 +1385,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1428,9 +1441,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1459,6 +1472,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 0bb78ffd74..61b54eeb0c 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +265,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyrepochronicle outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1062,7 +1069,7 @@ jobs: group: "gh-aw-conclusion-daily-repo-chronicle" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1077,6 +1084,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,7 +1183,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-repo-chronicle" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-repo-chronicle" GH_AW_WORKFLOW_ID: "daily-repo-chronicle" GH_AW_WORKFLOW_NAME: "The Daily Repository Chronicle" @@ -1195,6 +1204,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1220,9 +1231,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1251,6 +1262,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1294,6 +1307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index b32949b0df..094e6b8999 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -68,6 +68,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -272,8 +274,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputoptimizer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -293,6 +298,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1166,7 +1173,7 @@ jobs: group: "gh-aw-conclusion-daily-safe-output-optimizer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1181,6 +1188,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1277,6 +1286,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1314,7 +1325,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-safe-output-optimizer" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "daily-safe-output-optimizer" GH_AW_WORKFLOW_NAME: "Daily Safe Output Tool Optimizer" outputs: @@ -1336,6 +1347,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1361,9 +1374,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1392,6 +1405,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index f69e2f2752..a062866373 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -251,8 +253,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysafeoutputsconformance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,6 +277,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1036,7 +1043,7 @@ jobs: group: "gh-aw-conclusion-daily-safe-outputs-conformance" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1051,6 +1058,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1145,7 +1154,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-safe-outputs-conformance" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "safe-outputs-conformance" GH_AW_WORKFLOW_ID: "daily-safe-outputs-conformance" GH_AW_WORKFLOW_NAME: "Daily Safe Outputs Conformance Checker" @@ -1168,6 +1177,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1193,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index f493aead00..ff2fff5a7a 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -248,8 +250,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysecretsanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -270,6 +275,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1026,7 +1033,7 @@ jobs: group: "gh-aw-conclusion-daily-secrets-analysis" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1041,6 +1048,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1138,7 +1147,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-secrets-analysis" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-secrets-analysis" GH_AW_WORKFLOW_ID: "daily-secrets-analysis" GH_AW_WORKFLOW_NAME: "Daily Secrets Analysis Agent" @@ -1159,6 +1168,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1184,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index c99d108e98..4f56aa73f6 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -255,8 +257,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysecurityredteam outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,6 +281,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1040,7 +1047,7 @@ jobs: group: "gh-aw-conclusion-daily-security-red-team" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1055,6 +1062,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1149,7 +1158,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-security-red-team" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "security-red-team" GH_AW_WORKFLOW_ID: "daily-security-red-team" GH_AW_WORKFLOW_NAME: "Daily Security Red Team Agent" @@ -1172,6 +1181,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1197,9 +1208,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 369a20d3c7..4c06df8927 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -251,8 +253,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysemgrepscan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,6 +278,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1012,7 +1019,7 @@ jobs: group: "gh-aw-conclusion-daily-semgrep-scan" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1027,6 +1034,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1118,7 +1127,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-semgrep-scan" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "daily-semgrep-scan" GH_AW_WORKFLOW_NAME: "Daily Semgrep Scan" outputs: @@ -1138,6 +1147,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1163,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 36409b28da..15f9901d9a 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -247,8 +249,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailysyntaxerrorquality outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -269,6 +274,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -999,7 +1006,7 @@ jobs: group: "gh-aw-conclusion-daily-syntax-error-quality" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1014,6 +1021,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1108,7 +1117,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-syntax-error-quality" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-syntax-error-quality" GH_AW_WORKFLOW_ID: "daily-syntax-error-quality" GH_AW_WORKFLOW_NAME: "Daily Syntax Error Quality Check" @@ -1131,6 +1140,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1156,9 +1167,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index c9b3686d22..fe15f18f47 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -254,8 +256,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyteamevolutioninsights outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,6 +280,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1018,7 +1025,7 @@ jobs: group: "gh-aw-conclusion-daily-team-evolution-insights" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1033,6 +1040,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1130,7 +1139,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-team-evolution-insights" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-team-evolution-insights" GH_AW_WORKFLOW_ID: "daily-team-evolution-insights" GH_AW_WORKFLOW_NAME: "Daily Team Evolution Insights" @@ -1151,6 +1160,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1176,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 4829ae2814..8661092703 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -72,6 +72,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -261,8 +263,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyteamstatus outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,6 +288,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -990,7 +997,7 @@ jobs: group: "gh-aw-conclusion-daily-team-status" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1005,6 +1012,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1114,6 +1123,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check stop-time limit id: check_stop_time uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1138,7 +1149,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-team-status" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-team-status" GH_AW_WORKFLOW_ID: "daily-team-status" GH_AW_WORKFLOW_NAME: "Daily Team Status" @@ -1163,6 +1174,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1188,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index feee842cd7..908d92abcc 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -68,6 +68,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -278,8 +280,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailytestifyubersuperexpert outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -300,6 +305,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1072,7 +1079,7 @@ jobs: group: "gh-aw-conclusion-daily-testify-uber-super-expert" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1087,6 +1094,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1191,6 +1200,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1227,7 +1238,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1242,6 +1253,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1300,7 +1313,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-testify-uber-super-expert" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-testify-uber-super-expert" GH_AW_WORKFLOW_ID: "daily-testify-uber-super-expert" GH_AW_WORKFLOW_NAME: "Daily Testify Uber Super Expert" @@ -1323,6 +1336,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1348,9 +1363,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 947d353f5a..c935058fe2 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -58,6 +58,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -241,8 +243,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dailyworkflowupdater outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -263,6 +268,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -976,7 +983,7 @@ jobs: group: "gh-aw-conclusion-daily-workflow-updater" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -991,6 +998,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1105,7 +1114,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/daily-workflow-updater" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "daily-workflow-updater" GH_AW_WORKFLOW_ID: "daily-workflow-updater" GH_AW_WORKFLOW_NAME: "Daily Workflow Updater" @@ -1128,6 +1137,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1182,9 +1193,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index d969247fd5..5fc6cbbfe8 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -266,8 +268,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: deadcoderemover outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,6 +293,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1029,7 +1036,7 @@ jobs: group: "gh-aw-conclusion-dead-code-remover" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1044,6 +1051,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1156,6 +1165,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1196,7 +1207,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dead-code-remover" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "dead-code-remover" GH_AW_WORKFLOW_NAME: "Dead Code Removal Agent" outputs: @@ -1218,6 +1229,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1272,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1303,6 +1316,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 1c341b8bd9..8e7537c639 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -284,8 +286,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: deepreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -305,6 +310,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1240,7 +1247,7 @@ jobs: group: "gh-aw-conclusion-deep-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1255,6 +1262,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1354,7 +1363,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1369,6 +1378,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1428,7 +1439,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/deep-report" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "deep-report-intel-agent" GH_AW_WORKFLOW_ID: "deep-report" GH_AW_WORKFLOW_NAME: "DeepReport - Intelligence Gathering Agent" @@ -1451,6 +1462,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1476,9 +1489,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1507,6 +1520,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1550,6 +1565,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 3a954a2702..60b15f22d0 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -266,8 +268,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: delight outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,6 +293,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1118,7 +1125,7 @@ jobs: group: "gh-aw-conclusion-delight" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1133,6 +1140,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1233,7 +1242,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1248,6 +1257,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1307,7 +1318,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/delight" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *User experience analysis by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📊 Delight Agent starting! [{workflow_name}]({run_url}) is analyzing user-facing aspects for improvement opportunities...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has identified targeted improvements for user experience.\",\"runFailure\":\"⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}. Please review the logs...\"}" GH_AW_TRACKER_ID: "delight-daily" GH_AW_WORKFLOW_ID: "delight" @@ -1331,6 +1342,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1356,9 +1369,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 904b68f1cf..8c518b3ff7 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -253,8 +255,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dependabotburner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -275,6 +280,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -982,7 +989,7 @@ jobs: group: "gh-aw-conclusion-dependabot-burner" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -997,6 +1004,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1094,6 +1103,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1118,7 +1129,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dependabot-burner" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "dependabot-burner" GH_AW_WORKFLOW_NAME: "Dependabot Burner" outputs: @@ -1140,6 +1151,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1165,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 89ce33ce2a..25bf7203be 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -252,8 +254,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dependabotgochecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,6 +279,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1031,7 +1038,7 @@ jobs: group: "gh-aw-conclusion-dependabot-go-checker" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1046,6 +1053,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1137,7 +1146,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dependabot-go-checker" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "dependabot-go-checker" GH_AW_WORKFLOW_NAME: "Dependabot Dependency Checker" outputs: @@ -1159,6 +1168,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1184,9 +1195,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index df8bb4f302..72e5648294 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -68,6 +68,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -275,8 +277,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: devhawk outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -297,6 +302,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1063,7 +1070,7 @@ jobs: group: "gh-aw-conclusion-dev-hawk" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1078,6 +1085,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1176,6 +1185,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1202,7 +1213,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dev-hawk" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦅 *Observed from above by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🦅 Dev Hawk circles the sky! [{workflow_name}]({run_url}) is monitoring this {event_type} from above...\",\"runSuccess\":\"🦅 Hawk eyes report! [{workflow_name}]({run_url}) has completed reconnaissance. Intel delivered! 🎯\",\"runFailure\":\"🦅 Hawk down! [{workflow_name}]({run_url}) {status}. The skies grow quiet...\"}" GH_AW_WORKFLOW_ID: "dev-hawk" GH_AW_WORKFLOW_NAME: "Dev Hawk" @@ -1225,6 +1236,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1250,9 +1263,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 4615de6c08..4ed091329c 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -57,6 +57,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -237,8 +239,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dev outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -259,6 +264,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -967,7 +974,7 @@ jobs: group: "gh-aw-conclusion-dev" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -982,6 +989,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1072,7 +1081,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dev" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "dev" GH_AW_WORKFLOW_NAME: "Dev" outputs: @@ -1094,6 +1103,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1119,9 +1130,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 7031ec4d74..73e5cff15c 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -284,8 +286,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: developerdocsconsolidator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -305,6 +310,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1368,7 +1375,7 @@ jobs: group: "gh-aw-conclusion-developer-docs-consolidator" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1383,6 +1390,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1494,7 +1503,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1509,6 +1518,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1571,7 +1582,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/developer-docs-consolidator" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "developer-docs-consolidator" GH_AW_WORKFLOW_NAME: "Developer Documentation Consolidator" outputs: @@ -1593,6 +1604,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1647,9 +1660,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1678,6 +1691,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 59ad47d508..34d02e170f 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -251,8 +253,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: dictationprompt outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,6 +278,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1122,7 +1129,7 @@ jobs: group: "gh-aw-conclusion-dictation-prompt" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1137,6 +1144,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1246,7 +1255,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dictation-prompt" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "dictation-prompt" GH_AW_WORKFLOW_NAME: "Dictation Prompt Generator" outputs: @@ -1268,6 +1277,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1322,9 +1333,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 1afac9ce93..0702f75ad4 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -267,8 +269,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: discussiontaskminer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -289,6 +294,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1102,7 +1109,7 @@ jobs: group: "gh-aw-conclusion-discussion-task-miner" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1117,6 +1124,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1215,7 +1224,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1230,6 +1239,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1290,7 +1301,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/discussion-task-miner" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Task mining by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 Discussion Task Miner starting! [{workflow_name}]({run_url}) is scanning discussions for code quality improvements...\",\"runSuccess\":\"✅ Task mining complete! [{workflow_name}]({run_url}) has identified actionable code quality tasks. 📊\",\"runFailure\":\"⚠️ Task mining interrupted! [{workflow_name}]({run_url}) {status}. Please review the logs...\"}" GH_AW_TRACKER_ID: "discussion-task-miner" GH_AW_WORKFLOW_ID: "discussion-task-miner" @@ -1316,6 +1327,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1341,9 +1354,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index aab8e58b28..1693478c2b 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -254,8 +256,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: docsnoobtester outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,6 +281,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1021,7 +1028,7 @@ jobs: group: "gh-aw-conclusion-docs-noob-tester" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1036,6 +1043,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1129,7 +1138,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/docs-noob-tester" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "docs-noob-tester" GH_AW_WORKFLOW_NAME: "Documentation Noob Tester" outputs: @@ -1149,6 +1158,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1174,9 +1185,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1206,6 +1217,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 32ced25a7d..2b7cb00bab 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -58,6 +58,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -239,8 +241,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: draftprcleanup outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -261,6 +266,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1040,7 +1047,7 @@ jobs: group: "gh-aw-conclusion-draft-pr-cleanup" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1055,6 +1062,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1148,7 +1157,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/draft-pr-cleanup" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🧹 Starting draft PR cleanup... [{workflow_name}]({run_url}) is reviewing draft PRs for staleness\",\"runSuccess\":\"✅ Draft PR cleanup complete! [{workflow_name}]({run_url}) has reviewed and processed stale drafts.\",\"runFailure\":\"❌ Draft PR cleanup failed! [{workflow_name}]({run_url}) {status}. Some draft PRs may not be processed.\"}" GH_AW_WORKFLOW_ID: "draft-pr-cleanup" GH_AW_WORKFLOW_NAME: "Draft PR Cleanup" @@ -1171,6 +1180,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1196,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index f9c45ead97..ec47acb146 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -262,8 +264,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: duplicatecodedetector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,6 +288,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1008,7 +1015,7 @@ jobs: group: "gh-aw-conclusion-duplicate-code-detector" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1023,6 +1030,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1113,7 +1122,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/duplicate-code-detector" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "duplicate-code-detector" GH_AW_WORKFLOW_NAME: "Duplicate Code Detector" outputs: @@ -1135,6 +1144,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1161,9 +1172,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign Copilot to created issues if: steps.process_safe_outputs.outputs.issues_to_assign_copilot != '' diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 5cdb6c77c1..f2e5b8784d 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -56,6 +56,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -229,7 +231,7 @@ jobs: issues: read pull-requests: read env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: examplepermissionswarning outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -245,6 +247,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index bcf52db452..666527192f 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -251,8 +253,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: exampleworkflowanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,6 +277,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1081,7 +1088,7 @@ jobs: group: "gh-aw-conclusion-example-workflow-analyzer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1096,6 +1103,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1189,7 +1198,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/example-workflow-analyzer" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "example-workflow-analyzer" GH_AW_WORKFLOW_NAME: "Weekly Workflow Analysis" outputs: @@ -1209,6 +1218,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1234,9 +1245,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index c610c263b3..f6a934d116 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -71,6 +71,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -284,8 +286,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: firewallescape outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -306,6 +311,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1045,7 +1052,7 @@ jobs: group: "gh-aw-conclusion-firewall-escape" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1060,6 +1067,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,6 +1207,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1221,7 +1232,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1236,6 +1247,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1294,7 +1307,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/firewall-escape" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "firewall-escape" GH_AW_WORKFLOW_ID: "firewall-escape" GH_AW_WORKFLOW_NAME: "The Great Escapi" @@ -1315,6 +1328,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1340,9 +1355,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1371,6 +1386,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index fd86b79fa7..060ff4e85d 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -56,6 +56,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -231,7 +233,7 @@ jobs: issues: read pull-requests: read env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: firewall outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -247,6 +249,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index f2aec5e0ac..2455f266f6 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -254,8 +256,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: functionalpragmatist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,6 +281,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -988,7 +995,7 @@ jobs: group: "gh-aw-conclusion-functional-pragmatist" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,6 +1010,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1118,7 +1127,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/functional-pragmatist" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "functional-pragmatist" GH_AW_WORKFLOW_ID: "functional-pragmatist" GH_AW_WORKFLOW_NAME: "Functional Pragmatist" @@ -1141,6 +1150,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1195,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 2e355eda5a..6b1e145b22 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -267,8 +269,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubmcpstructuralanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,6 +293,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1125,7 +1132,7 @@ jobs: group: "gh-aw-conclusion-github-mcp-structural-analysis" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1140,6 +1147,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1233,7 +1242,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-mcp-structural-analysis" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "github-mcp-structural-analysis" GH_AW_WORKFLOW_NAME: "GitHub MCP Structural Analysis" outputs: @@ -1253,6 +1262,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1278,9 +1289,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1309,6 +1320,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1352,6 +1365,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 3c82b54573..d98bb1d02e 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -264,8 +266,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubmcptoolsreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1137,7 +1144,7 @@ jobs: group: "gh-aw-conclusion-github-mcp-tools-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1152,6 +1159,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1264,7 +1273,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-mcp-tools-report" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "github-mcp-tools-report" GH_AW_WORKFLOW_NAME: "GitHub MCP Remote Server Tools Report Generator" outputs: @@ -1286,6 +1295,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1340,9 +1351,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1371,6 +1382,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 19bb8b48a6..dac1ea0b46 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -59,6 +59,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -249,8 +251,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: githubremotemcpauthtest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -271,6 +276,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -966,7 +973,7 @@ jobs: group: "gh-aw-conclusion-github-remote-mcp-auth-test" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -981,6 +988,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1076,7 +1085,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/github-remote-mcp-auth-test" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "github-remote-mcp-auth-test" GH_AW_WORKFLOW_NAME: "GitHub Remote MCP Authentication Test" outputs: @@ -1096,6 +1105,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1121,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index ad68103c87..9bf4b36867 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -286,8 +288,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: glossarymaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -308,6 +313,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1256,7 +1263,7 @@ jobs: group: "gh-aw-conclusion-glossary-maintainer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1271,6 +1278,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1381,7 +1390,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1396,6 +1405,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1457,7 +1468,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/glossary-maintainer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "glossary-maintainer" GH_AW_WORKFLOW_NAME: "Glossary Maintainer" outputs: @@ -1479,6 +1490,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1533,9 +1546,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1564,6 +1577,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index d648f396ce..28e59b8900 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -264,8 +266,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gofan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1083,7 +1090,7 @@ jobs: group: "gh-aw-conclusion-go-fan" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1098,6 +1105,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1195,7 +1204,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-fan" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "go-fan-daily" GH_AW_WORKFLOW_ID: "go-fan" GH_AW_WORKFLOW_NAME: "Go Fan" @@ -1216,6 +1225,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1241,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1272,6 +1283,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 7476f08fb1..57ade40f00 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -260,8 +262,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gologger outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -281,6 +286,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1259,7 +1266,7 @@ jobs: group: "gh-aw-conclusion-go-logger" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1274,6 +1281,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1383,7 +1392,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-logger" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "go-logger" GH_AW_WORKFLOW_NAME: "Go Logger Enhancement" outputs: @@ -1405,6 +1414,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1459,9 +1470,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1490,6 +1501,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index e6d08494a8..4e7d1ecfd8 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -262,8 +264,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gopatterndetector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,6 +288,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1089,7 +1096,7 @@ jobs: group: "gh-aw-conclusion-go-pattern-detector" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1104,6 +1111,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1194,7 +1203,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/go-pattern-detector" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "go-pattern-detector" GH_AW_WORKFLOW_NAME: "Go Pattern Detector" outputs: @@ -1216,6 +1225,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1241,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 6258d11ab9..8f1c0eaf7d 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -258,8 +260,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: gpclean outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,6 +285,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1010,7 +1017,7 @@ jobs: group: "gh-aw-conclusion-gpclean" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1025,6 +1032,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1116,7 +1125,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/gpclean" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "gpclean" GH_AW_WORKFLOW_NAME: "GPL Dependency Cleaner (gpclean)" outputs: @@ -1138,6 +1147,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1163,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1194,6 +1205,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 6f896dfd39..4eb376cc7d 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -75,6 +75,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -304,8 +306,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: grumpyreviewer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -326,6 +331,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1094,7 +1101,7 @@ jobs: group: "gh-aw-conclusion-grumpy-reviewer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1109,6 +1116,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,6 +1220,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1246,7 +1257,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/grumpy-reviewer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time.\",\"runSuccess\":\"😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄\",\"runFailure\":\"😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse...\"}" GH_AW_WORKFLOW_ID: "grumpy-reviewer" GH_AW_WORKFLOW_NAME: "Grumpy Code Reviewer 🔥" @@ -1267,6 +1278,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1292,9 +1305,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1323,6 +1336,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 4801056b48..862ba8a577 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -271,8 +273,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: hourlycicleaner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -293,6 +298,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1085,7 +1092,7 @@ jobs: group: "gh-aw-conclusion-hourly-ci-cleaner" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1100,6 +1107,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1217,7 +1226,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/hourly-ci-cleaner" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "hourly-ci-cleaner" GH_AW_WORKFLOW_ID: "hourly-ci-cleaner" GH_AW_WORKFLOW_NAME: "CI Cleaner" @@ -1240,6 +1249,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1294,9 +1305,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 18bb3514d7..a0bc58cfa5 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -59,6 +59,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -253,8 +255,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: instructionsjanitor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,6 +279,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1087,7 +1094,7 @@ jobs: group: "gh-aw-conclusion-instructions-janitor" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1102,6 +1109,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1211,7 +1220,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/instructions-janitor" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "instructions-janitor" GH_AW_WORKFLOW_NAME: "Instructions Janitor" outputs: @@ -1233,6 +1242,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1287,9 +1298,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1318,6 +1329,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index d1ba1b88eb..42a986142c 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -258,8 +260,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuearborist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,6 +284,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1084,7 +1091,7 @@ jobs: group: "gh-aw-conclusion-issue-arborist" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1099,6 +1106,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1192,7 +1201,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-arborist" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "issue-arborist" GH_AW_WORKFLOW_NAME: "Issue Arborist" outputs: @@ -1214,6 +1223,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1239,9 +1250,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index d50809b157..c888d60e74 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -71,6 +71,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -278,8 +280,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuemonster outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -300,6 +305,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1036,7 +1043,7 @@ jobs: group: "gh-aw-conclusion-issue-monster" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1051,6 +1058,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1151,6 +1160,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1204,7 +1215,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-monster" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🍪 *Om nom nom by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🍪 ISSUE! ISSUE! [{workflow_name}]({run_url}) hungry for issues on this {event_type}! Om nom nom...\",\"runSuccess\":\"🍪 YUMMY! [{workflow_name}]({run_url}) ate the issues! That was DELICIOUS! Me want MORE! 😋\",\"runFailure\":\"🍪 Aww... [{workflow_name}]({run_url}) {status}. No cookie for monster today... 😢\"}" GH_AW_WORKFLOW_ID: "issue-monster" GH_AW_WORKFLOW_NAME: "Issue Monster" @@ -1230,6 +1241,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,9 +1268,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1271,9 +1284,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 2c9e595476..a35af45335 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -61,6 +61,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -251,8 +253,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: issuetriageagent outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -272,6 +277,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -977,7 +984,7 @@ jobs: group: "gh-aw-conclusion-issue-triage-agent" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -992,6 +999,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1084,7 +1093,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/issue-triage-agent" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "issue-triage-agent" GH_AW_WORKFLOW_NAME: "Issue Triage Agent" outputs: @@ -1106,6 +1115,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1131,9 +1142,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index fe817c1009..9a8f4462e0 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -59,6 +59,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -256,8 +258,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: jsweep outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,6 +283,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1024,7 +1031,7 @@ jobs: group: "gh-aw-conclusion-jsweep" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1039,6 +1046,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,7 +1163,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/jsweep" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "jsweep-daily" GH_AW_WORKFLOW_ID: "jsweep" GH_AW_WORKFLOW_NAME: "jsweep - JavaScript Unbloater" @@ -1177,6 +1186,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1231,9 +1242,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1262,6 +1273,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index dea4b9acb9..be449f0d70 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -60,6 +60,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -247,8 +249,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: layoutspecmaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -269,6 +274,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1017,7 +1024,7 @@ jobs: group: "gh-aw-conclusion-layout-spec-maintainer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1032,6 +1039,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1147,7 +1156,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/layout-spec-maintainer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "layout-spec-maintainer" GH_AW_WORKFLOW_ID: "layout-spec-maintainer" GH_AW_WORKFLOW_NAME: "Layout Specification Maintainer" @@ -1170,6 +1179,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1224,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 00b7fb99b6..10a3db4fbf 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -258,8 +260,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: lockfilestats outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,6 +284,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1043,7 +1050,7 @@ jobs: group: "gh-aw-conclusion-lockfile-stats" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1058,6 +1065,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1151,7 +1160,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/lockfile-stats" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "lockfile-stats" GH_AW_WORKFLOW_NAME: "Lockfile Statistics Analysis Agent" outputs: @@ -1171,6 +1180,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1196,9 +1207,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1227,6 +1238,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 1e87d239be..a44f155ad8 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -78,6 +78,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -318,8 +320,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: mcpinspector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -340,6 +345,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1373,7 +1380,7 @@ jobs: group: "gh-aw-conclusion-mcp-inspector" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1388,6 +1395,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1752,7 +1761,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/mcp-inspector" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "mcp-inspector" GH_AW_WORKFLOW_NAME: "MCP Inspector Agent" outputs: @@ -1772,6 +1781,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1798,9 +1809,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1829,6 +1840,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index bed14d2f2e..971205293c 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -70,6 +70,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -290,8 +292,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: mergefest outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -312,6 +317,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1037,7 +1044,7 @@ jobs: group: "gh-aw-conclusion-mergefest" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1052,6 +1059,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,6 +1163,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1191,7 +1202,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/mergefest" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "mergefest" GH_AW_WORKFLOW_NAME: "Mergefest" outputs: @@ -1213,6 +1224,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1267,9 +1280,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index f8127c0411..15561147ce 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -61,6 +61,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -255,7 +257,7 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: metricscollector outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -271,6 +273,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -622,6 +626,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -645,7 +651,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -660,6 +666,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 3f7a357daa..bda1e82b9e 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -254,8 +256,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: notionissuesummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,6 +279,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -805,7 +812,7 @@ jobs: group: "gh-aw-conclusion-notion-issue-summary" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -820,6 +827,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1036,7 +1045,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/notion-issue-summary" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "notion-issue-summary" GH_AW_WORKFLOW_NAME: "Issue Summary to Notion" outputs: @@ -1056,6 +1065,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1082,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 566a2e7a46..10c7863542 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -272,8 +274,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: orghealthreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -294,6 +299,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1061,7 +1068,7 @@ jobs: group: "gh-aw-conclusion-org-health-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1076,6 +1083,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1170,7 +1179,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/org-health-report" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "org-health-report" GH_AW_WORKFLOW_NAME: "Organization Health Report" outputs: @@ -1190,6 +1199,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1215,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1246,6 +1257,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1289,6 +1302,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 3dc783961e..802dc0e1fe 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -93,6 +93,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -336,8 +338,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: pdfsummary outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -358,6 +363,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1125,7 +1132,7 @@ jobs: group: "gh-aw-conclusion-pdf-summary" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1140,6 +1147,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1246,6 +1255,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1283,7 +1294,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pdf-summary" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📄 *Summary compiled by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📖 Page by page! [{workflow_name}]({run_url}) is reading through this {event_type}...\",\"runSuccess\":\"📚 TL;DR ready! [{workflow_name}]({run_url}) has distilled the essence. Knowledge condensed! ✨\",\"runFailure\":\"📖 Reading interrupted! [{workflow_name}]({run_url}) {status}. The document remains unsummarized...\"}" GH_AW_WORKFLOW_ID: "pdf-summary" GH_AW_WORKFLOW_NAME: "Resource Summarizer Agent" @@ -1306,6 +1317,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1331,9 +1344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1362,6 +1375,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index fd88583bcf..9ad5d5b56d 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -75,6 +75,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -297,8 +299,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: plan outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -319,6 +324,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1085,7 +1092,7 @@ jobs: group: "gh-aw-conclusion-plan" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1100,6 +1107,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1201,6 +1210,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1237,7 +1248,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/plan" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "plan" GH_AW_WORKFLOW_NAME: "Plan Command" outputs: @@ -1259,6 +1270,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 2c21a875c1..beb7a4803f 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -85,6 +85,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -325,8 +327,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: poembot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -347,6 +352,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1794,7 +1801,7 @@ jobs: group: "gh-aw-conclusion-poem-bot" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1809,6 +1816,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1930,6 +1939,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1970,7 +1981,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/poem-bot" GH_AW_ENGINE_ID: "copilot" GH_AW_ENGINE_MODEL: "gpt-5" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUTS_STAGED: "true" GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Verses penned by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🎭 Hear ye! The muse stirs! [{workflow_name}]({run_url}) takes quill in hand for this {event_type}...\",\"runSuccess\":\"🪶 The poem is writ! [{workflow_name}]({run_url}) has composed verses most fair. Applause! 👏\",\"runFailure\":\"🎭 Alas! [{workflow_name}]({run_url}) {status}. The muse has fled, leaving verses unsung...\"}" GH_AW_WORKFLOW_ID: "poem-bot" @@ -2002,6 +2013,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2057,9 +2070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -2071,9 +2084,9 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); + const { main } = require(process.env.GH_AW_HOME + '/actions/create_agent_session.cjs'); await main(); update_cache_memory: needs: agent @@ -2094,6 +2107,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -2137,6 +2152,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 70c4e97a48..39bbd6e7f7 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -269,8 +271,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: portfolioanalyst outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,6 +296,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1142,7 +1149,7 @@ jobs: group: "gh-aw-conclusion-portfolio-analyst" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1157,6 +1164,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1255,7 +1264,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/portfolio-analyst" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "portfolio-analyst-weekly" GH_AW_WORKFLOW_ID: "portfolio-analyst" GH_AW_WORKFLOW_NAME: "Automated Portfolio Analyst" @@ -1276,6 +1285,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1301,9 +1312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1332,6 +1343,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1375,6 +1388,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index f905675b06..5945d61a84 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -103,6 +103,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -334,8 +336,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: prnitpickreviewer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -356,6 +361,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1197,7 +1204,7 @@ jobs: group: "gh-aw-conclusion-pr-nitpick-reviewer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1212,6 +1219,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1322,6 +1331,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1359,7 +1370,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pr-nitpick-reviewer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}...\",\"runSuccess\":\"🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅\",\"runFailure\":\"🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected...\"}" GH_AW_WORKFLOW_ID: "pr-nitpick-reviewer" GH_AW_WORKFLOW_NAME: "PR Nitpick Reviewer 🔍" @@ -1380,6 +1391,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1405,9 +1418,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1436,6 +1449,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index b65b721b7b..8f5b7877e5 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -58,6 +58,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -261,8 +263,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: prtriageagent outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -283,6 +288,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1119,7 +1126,7 @@ jobs: group: "gh-aw-conclusion-pr-triage-agent" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1134,6 +1141,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1229,7 +1238,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1244,6 +1253,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1304,7 +1315,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pr-triage-agent" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🔍 Starting PR triage analysis... [{workflow_name}]({run_url}) is categorizing and prioritizing agent-created PRs\",\"runSuccess\":\"✅ PR triage complete! [{workflow_name}]({run_url}) has analyzed and categorized PRs. Check the issue for detailed report.\",\"runFailure\":\"❌ PR triage failed! [{workflow_name}]({run_url}) {status}. Some PRs may not be triaged.\"}" GH_AW_WORKFLOW_ID: "pr-triage-agent" GH_AW_WORKFLOW_NAME: "PR Triage Agent" @@ -1329,6 +1340,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1354,9 +1367,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index be999f542f..8399a2187b 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -68,6 +68,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -273,8 +275,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: promptclusteringanalysis outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -294,6 +299,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1174,7 +1181,7 @@ jobs: group: "gh-aw-conclusion-prompt-clustering-analysis" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1189,6 +1196,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1282,7 +1291,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/prompt-clustering-analysis" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "prompt-clustering-analysis" GH_AW_WORKFLOW_NAME: "Copilot Agent Prompt Clustering Analysis" outputs: @@ -1302,6 +1311,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1327,9 +1338,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1358,6 +1369,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 6491238bbb..0ed357bdb3 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -265,8 +267,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: pythondatacharts outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -287,6 +292,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1130,7 +1137,7 @@ jobs: group: "gh-aw-conclusion-python-data-charts" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1145,6 +1152,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1239,7 +1248,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/python-data-charts" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "python-data-charts" GH_AW_WORKFLOW_NAME: "Python Data Visualization Generator" outputs: @@ -1259,6 +1268,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1284,9 +1295,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1315,6 +1326,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1358,6 +1371,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index e110bc7fe0..8af1ab44cc 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -111,6 +111,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -353,8 +355,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: q outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -375,6 +380,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1236,7 +1243,7 @@ jobs: group: "gh-aw-conclusion-q" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1251,6 +1258,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1381,6 +1390,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1420,7 +1431,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/q" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎩 *Equipped by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Pay attention, 007! [{workflow_name}]({run_url}) is preparing your gadgets for this {event_type}...\",\"runSuccess\":\"🎩 Mission equipment ready! [{workflow_name}]({run_url}) has optimized your workflow. Use wisely, 007! 🔫\",\"runFailure\":\"🔧 Technical difficulties! [{workflow_name}]({run_url}) {status}. Even Q Branch has bad days...\"}" GH_AW_WORKFLOW_ID: "q" GH_AW_WORKFLOW_NAME: "Q" @@ -1445,6 +1456,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1499,9 +1512,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1530,6 +1543,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index dd8172555b..2149c26703 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -74,6 +74,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -280,8 +282,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: refiner outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -302,6 +307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1059,7 +1066,7 @@ jobs: group: "gh-aw-conclusion-refiner" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1074,6 +1081,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1191,6 +1200,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1219,7 +1230,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/refiner" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runStarted\":\"🔍 Starting code refinement... [{workflow_name}]({run_url}) is analyzing PR #${{ github.event.pull_request.number }} for style alignment and security issues\",\"runSuccess\":\"✅ Refinement complete! [{workflow_name}]({run_url}) has created a PR with improvements for PR #${{ github.event.pull_request.number }}\",\"runFailure\":\"❌ Refinement failed! [{workflow_name}]({run_url}) {status} while processing PR #${{ github.event.pull_request.number }}\"}" GH_AW_WORKFLOW_ID: "refiner" GH_AW_WORKFLOW_NAME: "Code Refiner" @@ -1244,6 +1255,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1298,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 627a1a7292..db5a941a48 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -71,6 +71,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -260,8 +262,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: release outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,6 +287,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -978,7 +985,7 @@ jobs: group: "gh-aw-conclusion-release" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -993,6 +1000,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,6 +1207,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1426,7 +1437,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/release" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "release" GH_AW_WORKFLOW_NAME: "Release" outputs: @@ -1446,6 +1457,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1471,9 +1484,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 87303f7aad..8d90d1e403 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -66,6 +66,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +265,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repoauditanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -989,7 +996,7 @@ jobs: group: "gh-aw-conclusion-repo-audit-analyzer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1004,6 +1011,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1101,7 +1110,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repo-audit-analyzer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "repo-audit-analyzer" GH_AW_WORKFLOW_NAME: "Repository Audit & Agentic Workflow Opportunity Analyzer" outputs: @@ -1121,6 +1130,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1146,9 +1157,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1177,6 +1188,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (repo-audits) id: download_cache_repo_audits uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index bb6e3f80bd..e9ce532722 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -250,8 +252,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repotreemap outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,6 +277,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -958,7 +965,7 @@ jobs: group: "gh-aw-conclusion-repo-tree-map" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -973,6 +980,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1067,7 +1076,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repo-tree-map" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "repo-tree-map" GH_AW_WORKFLOW_NAME: "Repository Tree Map Generator" outputs: @@ -1087,6 +1096,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1112,9 +1123,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index af0cf0cfd8..974071d33a 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -262,8 +264,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: repositoryqualityimprover outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,6 +289,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -996,7 +1003,7 @@ jobs: group: "gh-aw-conclusion-repository-quality-improver" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1011,6 +1018,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1105,7 +1114,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/repository-quality-improver" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "repository-quality-improver" GH_AW_WORKFLOW_NAME: "Repository Quality Improvement Agent" outputs: @@ -1125,6 +1134,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1150,9 +1161,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1181,6 +1192,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (focus-areas) id: download_cache_focus_areas uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index cdde26c2bd..26d704aaee 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -66,6 +66,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -260,8 +262,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: research outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,6 +287,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -984,7 +991,7 @@ jobs: group: "gh-aw-conclusion-research" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -999,6 +1006,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1093,7 +1102,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/research" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "research" GH_AW_WORKFLOW_NAME: "Basic Research Agent" outputs: @@ -1113,6 +1122,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1138,9 +1149,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index f5eb0bd4c2..8c15dec620 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -263,8 +265,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: safeoutputhealth outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -284,6 +289,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1136,7 +1143,7 @@ jobs: group: "gh-aw-conclusion-safe-output-health" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1151,6 +1158,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1244,7 +1253,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/safe-output-health" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "safe-output-health" GH_AW_WORKFLOW_NAME: "Safe Output Health Monitor" outputs: @@ -1264,6 +1273,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1289,9 +1300,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1320,6 +1331,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 680e1dd6f6..e94346cd1b 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -258,8 +260,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: schemaconsistencychecker outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -279,6 +284,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1044,7 +1051,7 @@ jobs: group: "gh-aw-conclusion-schema-consistency-checker" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1059,6 +1066,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1152,7 +1161,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/schema-consistency-checker" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "schema-consistency-checker" GH_AW_WORKFLOW_NAME: "Schema Consistency Checker" outputs: @@ -1172,6 +1181,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1197,9 +1208,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1228,6 +1239,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 2cbc28c438..e7c42b0c32 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -130,6 +130,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -390,8 +392,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: scout outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -411,6 +416,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1278,7 +1285,7 @@ jobs: group: "gh-aw-conclusion-scout" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1293,6 +1300,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1405,6 +1414,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1442,7 +1453,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/scout" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔭 *Intelligence gathered by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🏕️ Scout on patrol! [{workflow_name}]({run_url}) is blazing trails through this {event_type}...\",\"runSuccess\":\"🔭 Recon complete! [{workflow_name}]({run_url}) has charted the territory. Map ready! 🗺️\",\"runFailure\":\"🏕️ Lost in the wilderness! [{workflow_name}]({run_url}) {status}. Sending search party...\"}" GH_AW_WORKFLOW_ID: "scout" GH_AW_WORKFLOW_NAME: "Scout" @@ -1465,6 +1476,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1490,9 +1503,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1521,6 +1534,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 18bce3611d..554ad4928d 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -250,8 +252,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securityalertburndown.campaign.g outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -271,6 +276,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1423,7 +1430,7 @@ jobs: group: "gh-aw-conclusion-security-alert-burndown.campaign.g" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1438,6 +1445,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1531,7 +1540,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.patch_size_exceeded }} validation_error_campaigns: ${{ steps.push_repo_memory_campaigns.outputs.validation_error }} @@ -1546,6 +1555,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1606,7 +1617,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-alert-burndown.campaign.g" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "security-alert-burndown.campaign.g" GH_AW_WORKFLOW_NAME: "Security Alert Burndown" outputs: @@ -1631,6 +1642,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1659,9 +1671,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 4c2208ba1f..81951290f7 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -71,6 +71,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -288,8 +290,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securitycompliance outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -310,6 +315,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1052,7 +1059,7 @@ jobs: group: "gh-aw-conclusion-security-compliance" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1067,6 +1074,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1161,7 +1170,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1176,6 +1185,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1234,7 +1245,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-compliance" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "security-compliance" GH_AW_WORKFLOW_NAME: "Security Compliance Campaign" outputs: @@ -1256,6 +1267,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1281,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index acf48aa431..c9956c3bb4 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -75,6 +75,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -305,8 +307,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: securityreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -327,6 +332,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1173,7 +1180,7 @@ jobs: group: "gh-aw-conclusion-security-review" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1188,6 +1195,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1290,6 +1299,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1325,7 +1336,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/security-review" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔒 *Security review by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) is analyzing this {event_type} for security implications...\",\"runSuccess\":\"🔒 [{workflow_name}]({run_url}) completed the security review.\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status} during security review.\"}" GH_AW_WORKFLOW_ID: "security-review" GH_AW_WORKFLOW_NAME: "Security Review Agent 🔒" @@ -1346,6 +1357,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1371,9 +1384,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1402,6 +1415,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 759e56824a..a8ed626a16 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -256,8 +258,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: semanticfunctionrefactor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -277,6 +282,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1126,7 +1133,7 @@ jobs: group: "gh-aw-conclusion-semantic-function-refactor" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1141,6 +1148,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1231,7 +1240,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/semantic-function-refactor" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "semantic-function-refactor" GH_AW_WORKFLOW_NAME: "Semantic Function Refactoring" outputs: @@ -1253,6 +1262,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1278,9 +1289,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 433ee4cf0d..92cfd133d7 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -264,8 +266,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: sergo outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -285,6 +290,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1082,7 +1089,7 @@ jobs: group: "gh-aw-conclusion-sergo" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1097,6 +1104,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1194,7 +1203,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/sergo" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "sergo-daily" GH_AW_WORKFLOW_ID: "sergo" GH_AW_WORKFLOW_NAME: "Sergo - Serena Go Expert" @@ -1215,6 +1224,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1240,9 +1251,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1271,6 +1282,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 1a180353e0..841c23a194 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -70,6 +70,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: slidedeckmaintainer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -303,6 +308,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1091,7 +1098,7 @@ jobs: group: "gh-aw-conclusion-slide-deck-maintainer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1106,6 +1113,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1224,6 +1233,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1264,7 +1275,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/slide-deck-maintainer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "slide-deck-maintainer" GH_AW_WORKFLOW_ID: "slide-deck-maintainer" GH_AW_WORKFLOW_NAME: "Slide Deck Maintainer" @@ -1287,6 +1298,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1341,9 +1354,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1372,6 +1385,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index ea0ce72d75..eff8ef5b08 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentallmerged outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -302,6 +307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -988,7 +995,7 @@ jobs: group: "gh-aw-conclusion-smoke-agent-all-merged" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,6 +1010,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,6 +1131,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1148,7 +1159,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-all-merged" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=merged`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-all-merged" GH_AW_WORKFLOW_NAME: "Smoke Agent: all/merged" @@ -1171,6 +1182,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1196,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 3a777c8043..2614795b34 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentallnone outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -302,6 +307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -988,7 +995,7 @@ jobs: group: "gh-aw-conclusion-smoke-agent-all-none" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,6 +1010,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,6 +1131,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1148,7 +1159,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-all-none" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=all, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-all-none" GH_AW_WORKFLOW_NAME: "Smoke Agent: all/none" @@ -1171,6 +1182,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1196,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 461a17e264..29f09e580c 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentpublicapproved outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -302,6 +307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1053,7 +1060,7 @@ jobs: group: "gh-aw-conclusion-smoke-agent-public-approved" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1068,6 +1075,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1189,6 +1198,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1215,7 +1226,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-public-approved" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🤖 [{workflow_name}]({run_url}) is looking for a Smoke issue to assign...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed. Issue assigned to the agentic-workflows agent.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-public-approved" GH_AW_WORKFLOW_NAME: "Smoke Agent: public/approved" @@ -1241,6 +1252,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1266,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1283,9 +1296,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index bba60ed7a3..82a38e0be3 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentpublicnone outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -302,6 +307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -988,7 +995,7 @@ jobs: group: "gh-aw-conclusion-smoke-agent-public-none" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1003,6 +1010,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1122,6 +1131,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1148,7 +1159,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-public-none" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=public, min-integrity=none`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-public-none" GH_AW_WORKFLOW_NAME: "Smoke Agent: public/none" @@ -1171,6 +1182,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1196,9 +1209,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 07e7e5d1ab..e8ebe9ba42 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeagentscopedapproved outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -302,6 +307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -992,7 +999,7 @@ jobs: group: "gh-aw-conclusion-smoke-agent-scoped-approved" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1007,6 +1014,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1126,6 +1135,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1152,7 +1163,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-agent-scoped-approved" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *Guard policy smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 [{workflow_name}]({run_url}) testing guard policy: `repos=[github/gh-aw, github/*], min-integrity=approved`...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed guard policy test.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-agent-scoped-approved" GH_AW_WORKFLOW_NAME: "Smoke Agent: scoped/approved" @@ -1175,6 +1186,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1200,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 0c1bdd7e78..44ca4694d4 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -69,6 +69,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -265,8 +267,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecallworkflow outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -286,6 +291,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -998,7 +1005,7 @@ jobs: group: "gh-aw-conclusion-smoke-call-workflow" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1013,6 +1020,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1112,6 +1121,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1137,7 +1148,7 @@ jobs: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-call-workflow" GH_AW_ENGINE_ID: "codex" GH_AW_ENGINE_MODEL: "gpt-5.1-codex-mini" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "smoke-call-workflow" GH_AW_WORKFLOW_NAME: "Smoke Call Workflow" outputs: @@ -1161,6 +1172,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1186,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 05dd02ee47..d5db03bd64 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -87,6 +87,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -677,8 +679,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeclaude outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -698,6 +703,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2712,7 +2719,7 @@ jobs: group: "gh-aw-conclusion-smoke-claude" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2727,6 +2734,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2848,6 +2857,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2876,7 +2887,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-claude" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" GH_AW_WORKFLOW_ID: "smoke-claude" GH_AW_WORKFLOW_NAME: "Smoke Claude" @@ -2904,6 +2915,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2958,9 +2971,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2989,6 +3002,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index be721134fa..07a7d34d97 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -80,6 +80,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -320,8 +322,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecodex outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -341,6 +346,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1539,7 +1546,7 @@ jobs: group: "gh-aw-conclusion-smoke-codex" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1554,6 +1561,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1673,6 +1682,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1699,7 +1710,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-codex" GH_AW_ENGINE_ID: "codex" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" GH_AW_WORKFLOW_ID: "smoke-codex" GH_AW_WORKFLOW_NAME: "Smoke Codex" @@ -1724,6 +1735,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1749,9 +1762,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1780,6 +1793,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5637b7e63a..d9a68b6c3e 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -79,6 +79,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -324,8 +326,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecopilotarm outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -346,6 +351,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2075,7 +2082,7 @@ jobs: group: "gh-aw-conclusion-smoke-copilot-arm" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2090,6 +2097,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2213,6 +2222,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2240,7 +2251,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot-arm" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot-arm" GH_AW_WORKFLOW_NAME: "Smoke Copilot ARM64" @@ -2265,6 +2276,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2291,9 +2304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2356,6 +2369,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index a5d3200fcb..a9a1106827 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -81,6 +81,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -327,8 +329,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecopilot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -349,6 +354,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -2190,7 +2197,7 @@ jobs: group: "gh-aw-conclusion-smoke-copilot" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -2205,6 +2212,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2328,6 +2337,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -2355,7 +2366,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-copilot" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" GH_AW_WORKFLOW_ID: "smoke-copilot" GH_AW_WORKFLOW_NAME: "Smoke Copilot" @@ -2380,6 +2391,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -2406,9 +2419,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -2471,6 +2484,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index b0d5ab5887..8fc75702bb 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -74,6 +74,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -288,8 +290,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokecreatecrossrepopr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -310,6 +315,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1169,7 +1176,7 @@ jobs: group: "gh-aw-conclusion-smoke-create-cross-repo-pr" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1184,6 +1191,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1319,6 +1328,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1347,7 +1358,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-create-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔬 *Cross-repo smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔬 [{workflow_name}]({run_url}) is testing cross-repo PR creation in githubnext/gh-aw-side-repo...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created a cross-repo PR in githubnext/gh-aw-side-repo!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create a cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-create-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Create Cross-Repo PR" @@ -1375,6 +1386,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1432,9 +1444,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index f057b3c09c..3d96417971 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -80,6 +80,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -314,8 +316,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokegemini outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -335,6 +340,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1258,7 +1265,7 @@ jobs: group: "gh-aw-conclusion-smoke-gemini" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1273,6 +1280,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1392,6 +1401,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1418,7 +1429,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-gemini" GH_AW_ENGINE_ID: "gemini" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ✨ *[{workflow_name}]({run_url}) — Powered by Gemini*{history_link}\",\"runStarted\":\"✨ Gemini awakens... [{workflow_name}]({run_url}) begins its journey on this {event_type}...\",\"runSuccess\":\"🚀 [{workflow_name}]({run_url}) **MISSION COMPLETE!** Gemini has spoken. ✨\",\"runFailure\":\"⚠️ [{workflow_name}]({run_url}) {status}. Gemini encountered unexpected challenges...\"}" GH_AW_WORKFLOW_ID: "smoke-gemini" GH_AW_WORKFLOW_NAME: "Smoke Gemini" @@ -1443,6 +1454,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1468,9 +1481,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1499,6 +1512,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 2b7d819c47..ae2558a9d5 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -75,6 +75,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -297,8 +299,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokemultipr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -319,6 +324,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1112,7 +1119,7 @@ jobs: group: "gh-aw-conclusion-smoke-multi-pr" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1127,6 +1134,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1263,6 +1272,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1291,7 +1302,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-multi-pr" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Multi PR smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing multiple PR creation...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully created multiple PRs.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to create multiple PRs. Check the logs.\"}" GH_AW_WORKFLOW_ID: "smoke-multi-pr" GH_AW_WORKFLOW_NAME: "Smoke Multi PR" @@ -1316,6 +1327,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1370,9 +1383,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index a35bc6b045..8cab1396ef 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -296,8 +298,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeproject outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -318,6 +323,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1545,7 +1552,7 @@ jobs: group: "gh-aw-conclusion-smoke-project" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1560,6 +1567,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1696,6 +1705,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1724,7 +1735,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-project" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Project smoke test report by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing project operations...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. All project operations validated.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-project" GH_AW_WORKFLOW_NAME: "Smoke Project" @@ -1752,6 +1763,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1809,9 +1821,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 51b8dd1e27..3dd56cd72a 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -73,6 +73,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -292,8 +294,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smoketemporaryid outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -314,6 +319,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1132,7 +1139,7 @@ jobs: group: "gh-aw-conclusion-smoke-temporary-id" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1147,6 +1154,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1267,6 +1276,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1293,7 +1304,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-temporary-id" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🧪 *Temporary ID smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🧪 [{workflow_name}]({run_url}) is now testing temporary ID functionality...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) completed successfully. Temporary ID validation passed.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) encountered failures. Check the logs for details.\"}" GH_AW_WORKFLOW_ID: "smoke-temporary-id" GH_AW_WORKFLOW_NAME: "Smoke Temporary ID" @@ -1318,6 +1329,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1343,9 +1356,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index fae54499fc..5c6533ae8e 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -75,6 +75,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -281,8 +283,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smoketesttools outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -303,6 +308,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1010,7 +1017,7 @@ jobs: group: "gh-aw-conclusion-smoke-test-tools" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1025,6 +1032,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1145,6 +1154,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1171,7 +1182,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-test-tools" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔧 *Tool validation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔧 Starting tool validation... [{workflow_name}]({run_url}) is checking the agent container tools...\",\"runSuccess\":\"✅ All tools validated successfully! [{workflow_name}]({run_url}) confirms agent container is ready.\",\"runFailure\":\"❌ Tool validation failed! [{workflow_name}]({run_url}) detected missing tools: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-test-tools" GH_AW_WORKFLOW_NAME: "Agent Container Smoke Test" @@ -1194,6 +1205,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1219,9 +1232,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index f0511facb3..a2a930de4e 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -74,6 +74,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -295,8 +297,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeupdatecrossrepopr outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -317,6 +322,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1171,7 +1178,7 @@ jobs: group: "gh-aw-conclusion-smoke-update-cross-repo-pr" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1186,6 +1193,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1307,6 +1316,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1335,7 +1346,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-update-cross-repo-pr" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📜 *Cross-repo PR update smoke test by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📜 [{workflow_name}]({run_url}) is adding the next Odyssey line to githubnext/gh-aw-side-repo PR #1...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully updated the cross-repo PR with a new Odyssey line!\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to update the cross-repo PR: {status}\"}" GH_AW_WORKFLOW_ID: "smoke-update-cross-repo-pr" GH_AW_WORKFLOW_NAME: "Smoke Update Cross-Repo PR" @@ -1363,6 +1374,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1419,9 +1431,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1450,6 +1462,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 625e6b69f7..1bb5682f4a 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -82,6 +82,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Resolve host repo for activation checkout id: resolve-host-repo uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -95,7 +97,7 @@ jobs: id: artifact-prefix env: INPUTS_JSON: ${{ toJSON(inputs) }} - run: bash /opt/gh-aw/actions/compute_artifact_prefix.sh + run: bash ${GH_AW_HOME}/actions/compute_artifact_prefix.sh - name: Generate agentic run info id: generate_aw_info env: @@ -296,8 +298,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeworkflowcallwithinputs outputs: artifact_prefix: ${{ needs.activation.outputs.artifact_prefix }} @@ -319,6 +324,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1042,7 +1049,7 @@ jobs: group: "gh-aw-conclusion-smoke-workflow-call-with-inputs" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1057,6 +1064,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1154,6 +1163,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1180,7 +1191,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-workflow-call-with-inputs" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "smoke-workflow-call-with-inputs" GH_AW_WORKFLOW_NAME: "Smoke Workflow Call with Inputs" outputs: @@ -1202,6 +1213,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1227,9 +1240,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 457ff1809e..32c6391708 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -70,6 +70,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Resolve host repo for activation checkout id: resolve-host-repo uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -83,7 +85,7 @@ jobs: id: artifact-prefix env: INPUTS_JSON: ${{ toJSON(inputs) }} - run: bash /opt/gh-aw/actions/compute_artifact_prefix.sh + run: bash ${GH_AW_HOME}/actions/compute_artifact_prefix.sh - name: Generate agentic run info id: generate_aw_info env: @@ -276,8 +278,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: smokeworkflowcall outputs: artifact_prefix: ${{ needs.activation.outputs.artifact_prefix }} @@ -299,6 +304,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1001,7 +1008,7 @@ jobs: group: "gh-aw-conclusion-smoke-workflow-call" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1016,6 +1023,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1114,6 +1123,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1142,7 +1153,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/smoke-workflow-call" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔁 *workflow_call smoke test by [{workflow_name}]({run_url})*{history_link}\",\"appendOnlyComments\":true,\"runStarted\":\"🔁 [{workflow_name}]({run_url}) is validating workflow_call checkout...\",\"runSuccess\":\"✅ [{workflow_name}]({run_url}) successfully validated workflow_call checkout.\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) failed to validate workflow_call checkout. Check the logs.\"}" GH_AW_WORKFLOW_ID: "smoke-workflow-call" GH_AW_WORKFLOW_NAME: "Smoke Workflow Call" @@ -1165,6 +1176,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1190,9 +1203,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 0737ff71b1..32aca42fcc 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -74,6 +74,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -289,8 +291,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: stalerepoidentifier outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -311,6 +316,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1133,7 +1140,7 @@ jobs: group: "gh-aw-conclusion-stale-repo-identifier" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1148,6 +1155,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1240,7 +1249,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/stale-repo-identifier" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Analysis by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"🔍 Stale Repository Identifier starting! [{workflow_name}]({run_url}) is analyzing repository activity...\",\"runSuccess\":\"✅ Analysis complete! [{workflow_name}]({run_url}) has finished analyzing stale repositories.\",\"runFailure\":\"⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}.\"}" GH_AW_WORKFLOW_ID: "stale-repo-identifier" GH_AW_WORKFLOW_NAME: "Stale Repository Identifier" @@ -1263,6 +1272,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1288,9 +1299,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1319,6 +1330,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1362,6 +1375,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index ef14c4dc8b..33217a2f18 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -259,8 +261,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: staticanalysisreport outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -280,6 +285,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1118,7 +1125,7 @@ jobs: group: "gh-aw-conclusion-static-analysis-report" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1133,6 +1140,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1226,7 +1235,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/static-analysis-report" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "static-analysis-report" GH_AW_WORKFLOW_NAME: "Static Analysis Report" outputs: @@ -1246,6 +1255,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1271,9 +1282,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1302,6 +1313,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 60b4dcc10d..7caa0a60e1 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -59,6 +59,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -250,8 +252,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: stepnamealignment outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -271,6 +276,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1072,7 +1079,7 @@ jobs: group: "gh-aw-conclusion-step-name-alignment" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1087,6 +1094,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1177,7 +1186,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/step-name-alignment" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "step-name-alignment" GH_AW_WORKFLOW_NAME: "Step Name Alignment" outputs: @@ -1199,6 +1208,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1224,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1255,6 +1266,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 7b79ed0d8a..604e466304 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -59,6 +59,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -243,8 +245,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: subissuecloser outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -265,6 +270,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1073,7 +1080,7 @@ jobs: group: "gh-aw-conclusion-sub-issue-closer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1088,6 +1095,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1181,7 +1190,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/sub-issue-closer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "sub-issue-closer" GH_AW_WORKFLOW_NAME: "Sub-Issue Closer" outputs: @@ -1203,6 +1212,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1228,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index af9d14a859..7d452057aa 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -62,6 +62,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -266,8 +268,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: superlinter outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -288,6 +293,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1018,7 +1025,7 @@ jobs: group: "gh-aw-conclusion-super-linter" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1033,6 +1040,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1124,7 +1133,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/super-linter" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "super-linter" GH_AW_WORKFLOW_NAME: "Super Linter Report" outputs: @@ -1146,6 +1155,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1171,9 +1182,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1248,6 +1259,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 89e0c8ea82..b7fcc9605b 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -67,6 +67,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -288,8 +290,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: technicaldocwriter outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -310,6 +315,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1337,7 +1344,7 @@ jobs: group: "gh-aw-conclusion-technical-doc-writer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1352,6 +1359,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1463,7 +1472,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1478,6 +1487,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1540,7 +1551,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/technical-doc-writer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📝 *Documentation by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"✍️ The Technical Writer begins! [{workflow_name}]({run_url}) is documenting this {event_type}...\",\"runSuccess\":\"📝 Documentation complete! [{workflow_name}]({run_url}) has written the docs. Clear as crystal! ✨\",\"runFailure\":\"✍️ Writer's block! [{workflow_name}]({run_url}) {status}. The page remains blank...\"}" GH_AW_WORKFLOW_ID: "technical-doc-writer" GH_AW_WORKFLOW_NAME: "Rebuild the documentation after making changes" @@ -1565,6 +1576,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1619,9 +1632,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1650,6 +1663,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1693,6 +1708,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 0fe94fcfd3..94d6bbc893 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -254,8 +256,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: terminalstylist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,6 +281,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -970,7 +977,7 @@ jobs: group: "gh-aw-conclusion-terminal-stylist" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -985,6 +992,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1079,7 +1088,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/terminal-stylist" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "terminal-stylist" GH_AW_WORKFLOW_NAME: "Terminal Stylist" outputs: @@ -1099,6 +1108,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1124,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 23ab562e07..b409887ba1 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -56,6 +56,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -248,8 +250,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testcreateprerrorhandling outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -269,6 +274,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1059,7 +1066,7 @@ jobs: group: "gh-aw-conclusion-test-create-pr-error-handling" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1074,6 +1081,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1183,7 +1192,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-create-pr-error-handling" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "test-create-pr-error-handling" GH_AW_WORKFLOW_NAME: "Test Create PR Error Handling" outputs: @@ -1205,6 +1214,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1259,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1290,6 +1301,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 2b26162cd7..e18ff14728 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -55,6 +55,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -236,8 +238,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testdispatcher outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -258,6 +263,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -900,7 +907,7 @@ jobs: group: "gh-aw-conclusion-test-dispatcher" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -915,6 +922,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1005,7 +1014,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-dispatcher" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "test-dispatcher" GH_AW_WORKFLOW_NAME: "Test Dispatcher Workflow" outputs: @@ -1025,6 +1034,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1050,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 4d3ded6387..127db8c7f0 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -55,6 +55,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -235,8 +237,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: testprojecturldefault outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -257,6 +262,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1159,7 +1166,7 @@ jobs: group: "gh-aw-conclusion-test-project-url-default" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1174,6 +1181,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1264,7 +1273,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/test-project-url-default" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "test-project-url-default" GH_AW_WORKFLOW_NAME: "Test Project URL Explicit Requirement" outputs: @@ -1285,6 +1294,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: + destination: ${{ env.GH_AW_HOME }}/actions safe-output-custom-tokens: 'true' - name: Download agent output artifact id: download-agent-output @@ -1313,9 +1323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index dfac6f37ee..a9b46c1914 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -60,6 +60,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -231,7 +233,7 @@ jobs: permissions: contents: read env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: testworkflow outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -247,6 +249,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index f7fef188bf..50077b57ca 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -83,6 +83,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -301,8 +303,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: tidy outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -323,6 +328,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1131,7 +1138,7 @@ jobs: group: "gh-aw-conclusion-tidy" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1146,6 +1153,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1264,6 +1273,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1302,7 +1313,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/tidy" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "tidy" GH_AW_WORKFLOW_NAME: "Tidy" outputs: @@ -1326,6 +1337,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1380,9 +1393,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index ca76ab52d8..db61bc4beb 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -255,8 +257,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: typist outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -276,6 +281,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1054,7 +1061,7 @@ jobs: group: "gh-aw-conclusion-typist" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1069,6 +1076,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1162,7 +1171,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/typist" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "typist" GH_AW_WORKFLOW_NAME: "Typist - Go Type Analysis" outputs: @@ -1182,6 +1191,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1207,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index fc47bdd885..5e5e3f64b4 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -66,6 +66,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -260,8 +262,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: ubuntuimageanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -282,6 +287,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1020,7 +1027,7 @@ jobs: group: "gh-aw-conclusion-ubuntu-image-analyzer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1035,6 +1042,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,6 +1162,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1193,7 +1204,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/ubuntu-image-analyzer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "ubuntu-image-analyzer" GH_AW_WORKFLOW_ID: "ubuntu-image-analyzer" GH_AW_WORKFLOW_NAME: "Ubuntu Actions Image Analyzer" @@ -1216,6 +1227,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1270,9 +1283,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 1a8ed08ee9..f8c204931d 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -80,6 +80,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -313,8 +315,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: unbloatdocs outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -334,6 +339,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Create gh-aw temp directory run: | bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh @@ -1456,7 +1463,7 @@ jobs: group: "gh-aw-conclusion-unbloat-docs" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1471,6 +1478,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1587,6 +1596,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1626,7 +1637,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/unbloat-docs" GH_AW_ENGINE_ID: "claude" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🗜️ *Compressed by [{workflow_name}]({run_url})*{history_link}\",\"runStarted\":\"📦 Time to slim down! [{workflow_name}]({run_url}) is trimming the excess from this {event_type}...\",\"runSuccess\":\"🗜️ Docs on a diet! [{workflow_name}]({run_url}) has removed the bloat. Lean and mean! 💪\",\"runFailure\":\"📦 Unbloating paused! [{workflow_name}]({run_url}) {status}. The docs remain... fluffy.\"}" GH_AW_WORKFLOW_ID: "unbloat-docs" GH_AW_WORKFLOW_NAME: "Documentation Unbloat" @@ -1651,6 +1662,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1705,9 +1718,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1736,6 +1749,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1779,6 +1794,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 1b10008c21..498a0ef588 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -256,8 +258,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: videoanalyzer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -278,6 +283,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1010,7 +1017,7 @@ jobs: group: "gh-aw-conclusion-video-analyzer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1025,6 +1032,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1116,7 +1125,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/video-analyzer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "video-analyzer" GH_AW_WORKFLOW_NAME: "Video Analysis Agent" outputs: @@ -1138,6 +1147,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1163,9 +1174,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 0227a73718..2dc8118aaa 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -59,6 +59,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -250,8 +252,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklyeditorshealthcheck outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,6 +277,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1068,7 +1075,7 @@ jobs: group: "gh-aw-conclusion-weekly-editors-health-check" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1083,6 +1090,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1198,7 +1207,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-editors-health-check" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "weekly-editors-health-check" GH_AW_WORKFLOW_ID: "weekly-editors-health-check" GH_AW_WORKFLOW_NAME: "Weekly Editors Health Check" @@ -1221,6 +1230,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1275,9 +1286,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1307,6 +1318,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 8df10a660f..71d5b4f3c3 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -64,6 +64,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -269,8 +271,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklyissuesummary outputs: detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} @@ -290,6 +295,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1041,7 +1048,7 @@ jobs: group: "gh-aw-conclusion-weekly-issue-summary" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1056,6 +1063,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1153,7 +1162,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-issue-summary" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "weekly-issue-summary" GH_AW_WORKFLOW_ID: "weekly-issue-summary" GH_AW_WORKFLOW_NAME: "Weekly Issue Summary" @@ -1174,6 +1183,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1199,9 +1210,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1230,6 +1241,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download cache-memory artifact (default) id: download_cache_default uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -1273,6 +1286,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 6685f83758..6db7222251 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -59,6 +59,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -248,8 +250,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: weeklysafeoutputsspecreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -270,6 +275,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -971,7 +978,7 @@ jobs: group: "gh-aw-conclusion-weekly-safe-outputs-spec-review" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -986,6 +993,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1101,7 +1110,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/weekly-safe-outputs-spec-review" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "weekly-safe-outputs-spec-review" GH_AW_WORKFLOW_ID: "weekly-safe-outputs-spec-review" GH_AW_WORKFLOW_NAME: "Weekly Safe Outputs Specification Review" @@ -1124,6 +1133,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1178,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index f88deafb36..e319cbf973 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -68,6 +68,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -287,8 +289,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowgenerator outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -309,6 +314,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1115,7 +1122,7 @@ jobs: group: "gh-aw-conclusion-workflow-generator" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1130,6 +1137,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1231,6 +1240,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1273,7 +1284,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-generator" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "workflow-generator" GH_AW_WORKFLOW_NAME: "Workflow Generator" outputs: @@ -1296,6 +1307,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1321,9 +1334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign to agent id: assign_to_agent @@ -1337,9 +1350,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/assign_to_agent.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/assign_to_agent.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() @@ -1369,6 +1382,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Unlock issue after agent workflow id: unlock-issue if: ((github.event_name == 'issues') || (github.event_name == 'issue_comment')) && (needs.activation.outputs.issue_locked == 'true') diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 05cad24a14..0d4cb917cf 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -65,6 +65,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -269,8 +271,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowhealthmanager outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -291,6 +296,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1216,7 +1223,7 @@ jobs: group: "gh-aw-conclusion-workflow-health-manager" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1231,6 +1238,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1332,6 +1341,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -1355,7 +1366,7 @@ jobs: group: "push-repo-memory-${{ github.repository }}" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }} validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} @@ -1370,6 +1381,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1430,7 +1443,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-health-manager" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "workflow-health-manager" GH_AW_WORKFLOW_NAME: "Workflow Health Manager - Meta-Orchestrator" outputs: @@ -1454,6 +1467,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1479,9 +1494,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index e8130bb9fb..e5e40ccddd 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -252,8 +254,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflownormalizer outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -274,6 +279,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1048,7 +1055,7 @@ jobs: group: "gh-aw-conclusion-workflow-normalizer" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1063,6 +1070,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1158,7 +1167,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-normalizer" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_TRACKER_ID: "workflow-normalizer" GH_AW_WORKFLOW_ID: "workflow-normalizer" GH_AW_WORKFLOW_NAME: "Workflow Normalizer" @@ -1181,6 +1190,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1206,9 +1217,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index b0ac6f60df..a18f95320d 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -63,6 +63,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -251,8 +253,11 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: "" GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ env.GH_AW_HOME }}/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: workflowskillextractor outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -273,6 +278,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -1061,7 +1068,7 @@ jobs: group: "gh-aw-conclusion-workflow-skill-extractor" cancel-in-progress: false env: - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} outputs: noop_message: ${{ steps.noop.outputs.noop_message }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} @@ -1076,6 +1083,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1170,7 +1179,7 @@ jobs: env: GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/workflow-skill-extractor" GH_AW_ENGINE_ID: "copilot" - GH_AW_HOME: /opt/gh-aw + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID: "workflow-skill-extractor" GH_AW_WORKFLOW_NAME: "Workflow Skill Extractor" outputs: @@ -1192,6 +1201,8 @@ jobs: persist-credentials: false - name: Setup Scripts uses: ./actions/setup + with: + destination: ${{ env.GH_AW_HOME }}/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1217,9 +1228,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('${GH_AW_HOME}/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('${GH_AW_HOME}/actions/safe_output_handler_manager.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/safe_output_handler_manager.cjs'); await main(); - name: Upload Safe Output Items Manifest if: always() diff --git a/actions/setup/setup.sh b/actions/setup/setup.sh index d934b596df..4bd328118b 100755 --- a/actions/setup/setup.sh +++ b/actions/setup/setup.sh @@ -26,6 +26,8 @@ create_dir() { # Get destination from input or use default DESTINATION="${INPUT_DESTINATION:-/opt/gh-aw/actions}" +# Normalize trailing slash before deriving GH_AW_HOME +DESTINATION="${DESTINATION%/}" # Derive GH_AW_HOME from DESTINATION (strip /actions suffix) # This allows setup.sh to be used with custom base directories diff --git a/actions/setup/sh/start_mcp_gateway.sh b/actions/setup/sh/start_mcp_gateway.sh index 59ae5cd033..ecd88d11ad 100755 --- a/actions/setup/sh/start_mcp_gateway.sh +++ b/actions/setup/sh/start_mcp_gateway.sh @@ -355,19 +355,19 @@ echo "Detected engine type: $ENGINE_TYPE" case "$ENGINE_TYPE" in copilot) echo "Using Copilot converter..." - bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_copilot.sh + bash "${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_copilot.sh" ;; codex) echo "Using Codex converter..." - bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_codex.sh + bash "${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_codex.sh" ;; claude) echo "Using Claude converter..." - bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_claude.sh + bash "${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_claude.sh" ;; gemini) echo "Using Gemini converter..." - bash ${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_gemini.sh + bash "${GH_AW_HOME:-/opt/gh-aw}/actions/convert_gateway_config_gemini.sh" ;; *) echo "No agent-specific converter found for engine: $ENGINE_TYPE" @@ -384,13 +384,13 @@ echo "" # Check MCP server functionality echo "Checking MCP server functionality..." MCP_CHECK_START=$(date +%s%3N) -if [ -f ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh ]; then +if [ -f "${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh" ]; then echo "Running MCP server checks..." # Store check diagnostic logs in /tmp/gh-aw/mcp-logs/start-gateway.log for artifact upload # Use tee to output to both stdout and the log file # Enable pipefail so the exit code comes from check_mcp_servers.sh, not tee set -o pipefail - if ! bash ${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh \ + if ! bash "${GH_AW_HOME:-/opt/gh-aw}/actions/check_mcp_servers.sh" \ /tmp/gh-aw/mcp-config/gateway-output.json \ "http://localhost:${MCP_GATEWAY_PORT}" \ "${MCP_GATEWAY_API_KEY}" 2>&1 | tee /tmp/gh-aw/mcp-logs/start-gateway.log; then diff --git a/actions/setup/sh/start_mcp_scripts_server.sh b/actions/setup/sh/start_mcp_scripts_server.sh index 0c79ae537c..505262f1d6 100755 --- a/actions/setup/sh/start_mcp_scripts_server.sh +++ b/actions/setup/sh/start_mcp_scripts_server.sh @@ -4,7 +4,7 @@ set -e -cd ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts || exit 1 +cd "${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts" || exit 1 # Verify required files exist echo "Verifying mcp-scripts setup..." @@ -12,12 +12,12 @@ echo "Verifying mcp-scripts setup..." # Check core configuration files if [ ! -f mcp-server.cjs ]; then echo "ERROR: mcp-server.cjs not found in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts" - ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ + ls -la "${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/" exit 1 fi if [ ! -f tools.json ]; then echo "ERROR: tools.json not found in ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts" - ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ + ls -la "${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/" exit 1 fi @@ -54,7 +54,7 @@ if [ ${#MISSING_FILES[@]} -gt 0 ]; then done echo echo "Current directory contents:" - ls -la ${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/ + ls -la "${GH_AW_HOME:-/opt/gh-aw}/mcp-scripts/" echo echo "These files should have been copied by the Setup Scripts action." echo "This usually indicates a problem with the actions/setup step." diff --git a/actions/setup/sh/start_safe_outputs_server.sh b/actions/setup/sh/start_safe_outputs_server.sh index ef1628de05..0b7810945c 100755 --- a/actions/setup/sh/start_safe_outputs_server.sh +++ b/actions/setup/sh/start_safe_outputs_server.sh @@ -4,7 +4,7 @@ set -e -cd ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs || exit 1 +cd "${GH_AW_HOME:-/opt/gh-aw}/safeoutputs" || exit 1 # Verify required files exist echo "Verifying safe-outputs setup..." @@ -12,12 +12,12 @@ echo "Verifying safe-outputs setup..." # Check core files (mcp-server.cjs and tools.json are required) if [ ! -f mcp-server.cjs ]; then echo "ERROR: mcp-server.cjs not found in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs" - ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ + ls -la "${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/" exit 1 fi if [ ! -f tools.json ]; then echo "ERROR: tools.json not found in ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs" - ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ + ls -la "${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/" exit 1 fi @@ -54,7 +54,7 @@ if [ ${#MISSING_FILES[@]} -gt 0 ]; then done echo echo "Current directory contents:" - ls -la ${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/ + ls -la "${GH_AW_HOME:-/opt/gh-aw}/safeoutputs/" echo echo "These files should have been copied by the Setup Scripts action." echo "This usually indicates a problem with the actions/setup step." diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index f9c3a23168..6686507737 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -439,8 +439,9 @@ const DevModeGhAwImage = "localhost/gh-aw:dev" const GhAwHomeDefault = "/opt/gh-aw" // DefaultGhAwMount is the mount path for the gh-aw directory in containerized MCP servers -// Uses shell expansion so docker gets the resolved path at runtime -const DefaultGhAwMount = "\\${GH_AW_HOME:-/opt/gh-aw}:\\${GH_AW_HOME:-/opt/gh-aw}:ro" +// Uses shell expansion so docker gets the resolved path at runtime. +// GH_AW_HOME is always set in the job-level env, so no fallback is needed here. +const DefaultGhAwMount = "\\${GH_AW_HOME}:\\${GH_AW_HOME}:ro" // DefaultGhBinaryMount is the mount path for the gh CLI binary in containerized MCP servers // The gh CLI is required for agentic-workflows MCP server to run gh commands diff --git a/pkg/workflow/agentic_output_test.go b/pkg/workflow/agentic_output_test.go index c68b3c1ffe..9f855e46a1 100644 --- a/pkg/workflow/agentic_output_test.go +++ b/pkg/workflow/agentic_output_test.go @@ -62,8 +62,8 @@ This workflow tests the agentic output collection functionality. lockContent := string(content) // Verify GH_AW_SAFE_OUTPUTS is set at job level with fixed path - if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl") { - t.Error("Expected 'GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl' environment variable in generated workflow") + if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl") { + t.Error("Expected 'GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl' environment variable in generated workflow") } if !strings.Contains(lockContent, "- name: Ingest agent output") { @@ -171,8 +171,8 @@ This workflow tests that Codex engine gets GH_AW_SAFE_OUTPUTS but not engine out lockContent := string(content) // Verify that Codex workflow DOES have GH_AW_SAFE_OUTPUTS functionality at job level - if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl") { - t.Error("Codex workflow should have 'GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl' environment variable (GH_AW_SAFE_OUTPUTS functionality)") + if !strings.Contains(lockContent, "GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl") { + t.Error("Codex workflow should have 'GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_HOME }}/safeoutputs/outputs.jsonl' environment variable (GH_AW_SAFE_OUTPUTS functionality)") } if !strings.Contains(lockContent, "- name: Ingest agent output") { diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go index 1120317735..b34499e2bf 100644 --- a/pkg/workflow/agentic_workflow_test.go +++ b/pkg/workflow/agentic_workflow_test.go @@ -162,7 +162,7 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { "install step should include command to verify gh-aw installation") // Verify the binary copy command is present for MCP server containerization - assert.Contains(t, result, "cp \"$GH_AW_BIN\" /opt/gh-aw/gh-aw", + assert.Contains(t, result, "cp \"$GH_AW_BIN\" ${GH_AW_HOME}/gh-aw", "install step should copy gh-aw binary to /opt/gh-aw for MCP server containerization") } diff --git a/pkg/workflow/aw_info_tmp_test.go b/pkg/workflow/aw_info_tmp_test.go index a26f50da6f..2b3d1b3cad 100644 --- a/pkg/workflow/aw_info_tmp_test.go +++ b/pkg/workflow/aw_info_tmp_test.go @@ -56,7 +56,7 @@ This workflow tests that aw_info.json is generated in /tmp directory. lockStr := string(lockContent) // Test 1: Verify the step uses the generate_aw_info.cjs module - if !strings.Contains(lockStr, "require('/opt/gh-aw/actions/generate_aw_info.cjs')") { + if !strings.Contains(lockStr, "require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs')") { t.Error("Expected step to require generate_aw_info.cjs module") } diff --git a/pkg/workflow/cache_memory_integration_test.go b/pkg/workflow/cache_memory_integration_test.go index b920405868..9330802e32 100644 --- a/pkg/workflow/cache_memory_integration_test.go +++ b/pkg/workflow/cache_memory_integration_test.go @@ -42,7 +42,7 @@ tools: "uses: actions/cache@", "key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}", "path: /tmp/gh-aw/cache-memory", - "cat \"/opt/gh-aw/prompts/cache_memory_prompt.md\"", + "cat \"${GH_AW_HOME}/prompts/cache_memory_prompt.md\"", "GH_AW_CACHE_DIR: '/tmp/gh-aw/cache-memory/'", "GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR", }, diff --git a/pkg/workflow/cjs_require_validation_test.go b/pkg/workflow/cjs_require_validation_test.go index b858f748f9..d43816d532 100644 --- a/pkg/workflow/cjs_require_validation_test.go +++ b/pkg/workflow/cjs_require_validation_test.go @@ -15,7 +15,7 @@ import ( // do not use require() statements with "actions/" paths or "@actions/*" npm packages. // // When these .cjs files are deployed to GitHub Actions runners, they are copied -// to /opt/gh-aw/actions/ as a flat directory structure. Any require() statements +// to ${GH_AW_HOME}/actions/ as a flat directory structure. Any require() statements // that reference "actions/..." paths or "@actions/*" npm packages would fail because: // 1. There's no parent "actions/" directory in the runtime environment // 2. All files are in the same flat directory @@ -166,7 +166,7 @@ func TestCJSFilesNoActionsRequires(t *testing.T) { t.Errorf(" - %s", violation) } t.Error("\nWhen .cjs files are deployed to GitHub Actions runners, they are copied") - t.Error("to /opt/gh-aw/actions/ as a flat directory. Any require() statements that") + t.Error("to ${GH_AW_HOME}/actions/ as a flat directory. Any require() statements that") t.Error("reference 'actions/...' paths or '@actions/*' npm packages will fail at runtime") t.Error("because:") t.Error(" 1. The parent 'actions/' directory structure doesn't exist") diff --git a/pkg/workflow/codex_engine_test.go b/pkg/workflow/codex_engine_test.go index 1f8242b6f2..8f7007663f 100644 --- a/pkg/workflow/codex_engine_test.go +++ b/pkg/workflow/codex_engine_test.go @@ -208,7 +208,7 @@ func TestCodexEngineRenderMCPConfig(t *testing.T) { "GH_AW_MCP_CONFIG_EOF", "", "# Generate JSON config for MCP gateway", - "cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh", + "cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh", "{", "\"mcpServers\": {", "\"github\": {", diff --git a/pkg/workflow/compiler_custom_actions_test.go b/pkg/workflow/compiler_custom_actions_test.go index e2de221cd8..ed40c11000 100644 --- a/pkg/workflow/compiler_custom_actions_test.go +++ b/pkg/workflow/compiler_custom_actions_test.go @@ -247,7 +247,7 @@ Test workflow with script mode. } // 5. Setup step should have INPUT_DESTINATION environment variable - if !strings.Contains(lockStr, "INPUT_DESTINATION: /opt/gh-aw/actions") { + if !strings.Contains(lockStr, "INPUT_DESTINATION: ${{ env.GH_AW_HOME }}/actions") { t.Error("Expected INPUT_DESTINATION environment variable in setup step for script mode") } diff --git a/pkg/workflow/compiler_main_job.go b/pkg/workflow/compiler_main_job.go index 4a4a06a3b5..01fd74fc31 100644 --- a/pkg/workflow/compiler_main_job.go +++ b/pkg/workflow/compiler_main_job.go @@ -175,12 +175,18 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( } // Build job-level environment variables - // Always initialize env with GH_AW_HOME so steps don't need the :-fallback syntax + // Use GhAwHomeExprDefault so callers can override GH_AW_HOME via workflow/repo env env := map[string]string{ - "GH_AW_HOME": constants.GhAwHomeDefault, + "GH_AW_HOME": GhAwHomeExprDefault, } if data.SafeOutputs != nil { + // Set GH_AW_SAFE_OUTPUTS and related paths as job-level env vars. + // Using GhAwHomeExpr so paths adapt when GH_AW_HOME is overridden. + env["GH_AW_SAFE_OUTPUTS"] = GhAwHomeExpr + "/safeoutputs/outputs.jsonl" + env["GH_AW_SAFE_OUTPUTS_CONFIG_PATH"] = GhAwHomeExpr + "/safeoutputs/config.json" + env["GH_AW_SAFE_OUTPUTS_TOOLS_PATH"] = GhAwHomeExpr + "/safeoutputs/tools.json" + // Set GH_AW_MCP_LOG_DIR for safe outputs MCP server logging // Store in mcp-logs directory so it's included in mcp-logs artifact env["GH_AW_MCP_LOG_DIR"] = "/tmp/gh-aw/mcp-logs/safeoutputs" diff --git a/pkg/workflow/compiler_safe_outputs_job.go b/pkg/workflow/compiler_safe_outputs_job.go index df7dde2c4c..75d2224e62 100644 --- a/pkg/workflow/compiler_safe_outputs_job.go +++ b/pkg/workflow/compiler_safe_outputs_job.go @@ -390,8 +390,9 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa func (c *Compiler) buildJobLevelSafeOutputEnvVars(data *WorkflowData, workflowID string) map[string]string { envVars := make(map[string]string) - // Set GH_AW_HOME so steps can use $GH_AW_HOME without the :-fallback syntax - envVars["GH_AW_HOME"] = constants.GhAwHomeDefault + // Set GH_AW_HOME so steps can use $GH_AW_HOME without the :-fallback syntax. + // Use GhAwHomeExprDefault so callers can override via workflow/repo env. + envVars["GH_AW_HOME"] = GhAwHomeExprDefault // Set GH_AW_WORKFLOW_ID to the workflow ID (filename without extension) // This is used for branch naming in create_pull_request and other operations diff --git a/pkg/workflow/compiler_safe_outputs_specialized.go b/pkg/workflow/compiler_safe_outputs_specialized.go index 9217585f8d..4e30457435 100644 --- a/pkg/workflow/compiler_safe_outputs_specialized.go +++ b/pkg/workflow/compiler_safe_outputs_specialized.go @@ -127,7 +127,7 @@ func (c *Compiler) buildCreateAgentSessionStepConfig(data *WorkflowData, mainJob return SafeOutputStepConfig{ StepName: "Create Agent Session", StepID: "create_agent_session", - Script: "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();", + Script: "const { main } = require(" + JsRequireGhAw("actions/create_agent_session.cjs") + "); await main();", CustomEnvVars: customEnvVars, Condition: condition, Token: cfg.GitHubToken, diff --git a/pkg/workflow/compiler_safe_outputs_steps.go b/pkg/workflow/compiler_safe_outputs_steps.go index d67426dbd7..fc3b480d78 100644 --- a/pkg/workflow/compiler_safe_outputs_steps.go +++ b/pkg/workflow/compiler_safe_outputs_steps.go @@ -159,13 +159,13 @@ func (c *Compiler) buildConsolidatedSafeOutputStep(data *WorkflowData, config Sa // Use require mode if ScriptName is set, otherwise inline the bundled script if config.ScriptName != "" { // Require mode: Use setup_globals helper - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, fmt.Sprintf(" const { main } = require('"+SetupActionDestination+"/%s.cjs');\n", config.ScriptName)) + steps = append(steps, " const { main } = require("+JsRequireGhAw("actions/"+config.ScriptName+".cjs")+");\n") steps = append(steps, " await main();\n") } else { // Inline JavaScript: Use setup_globals helper - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") // Inline mode: embed the bundled script directly formattedScript := FormatJavaScriptForYAML(config.Script) @@ -437,9 +437,9 @@ func (c *Compiler) buildHandlerManagerStep(data *WorkflowData) []string { c.addSafeOutputGitHubTokenForConfig(&steps, data, configToken) steps = append(steps, " script: |\n") - steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") + steps = append(steps, " const { setupGlobals } = require("+JsRequireGhAw("actions/setup_globals.cjs")+");\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") - steps = append(steps, " const { main } = require('"+SetupActionDestination+"/safe_output_handler_manager.cjs');\n") + steps = append(steps, " const { main } = require("+JsRequireGhAw("actions/safe_output_handler_manager.cjs")+");\n") steps = append(steps, " await main();\n") return steps diff --git a/pkg/workflow/compiler_safe_outputs_steps_test.go b/pkg/workflow/compiler_safe_outputs_steps_test.go index 3e70e9d29d..498d8ebcef 100644 --- a/pkg/workflow/compiler_safe_outputs_steps_test.go +++ b/pkg/workflow/compiler_safe_outputs_steps_test.go @@ -47,7 +47,7 @@ func TestBuildConsolidatedSafeOutputStep(t *testing.T) { "name: Create Issue", "id: create_issue", "setupGlobals", - "require('/opt/gh-aw/actions/create_issue_handler.cjs')", + "require(process.env.GH_AW_HOME + '/actions/create_issue_handler.cjs')", "await main();", }, checkNotContains: []string{ @@ -749,7 +749,7 @@ func TestScriptNameVsInlineScript(t *testing.T) { stepsContent := strings.Join(steps, "") assert.Contains(t, stepsContent, "setupGlobals") - assert.Contains(t, stepsContent, "require('/opt/gh-aw/actions/test_handler.cjs')") + assert.Contains(t, stepsContent, "require(process.env.GH_AW_HOME + '/actions/test_handler.cjs')") assert.Contains(t, stepsContent, "await main()") assert.NotContains(t, stepsContent, "console.log") }) diff --git a/pkg/workflow/compiler_workflow_call.go b/pkg/workflow/compiler_workflow_call.go index 8cb8fe0db6..a37136cb35 100644 --- a/pkg/workflow/compiler_workflow_call.go +++ b/pkg/workflow/compiler_workflow_call.go @@ -47,7 +47,7 @@ func generateArtifactPrefixStep() []string { " id: artifact-prefix\n", " env:\n", " INPUTS_JSON: ${{ toJSON(inputs) }}\n", - " run: bash /opt/gh-aw/actions/compute_artifact_prefix.sh\n", + " run: bash " + GhAwHome + "/actions/compute_artifact_prefix.sh\n", } } diff --git a/pkg/workflow/compiler_yaml_helpers.go b/pkg/workflow/compiler_yaml_helpers.go index 23a478c106..a1e6d35712 100644 --- a/pkg/workflow/compiler_yaml_helpers.go +++ b/pkg/workflow/compiler_yaml_helpers.go @@ -308,7 +308,8 @@ func generateInlineGitHubScriptStep(stepName, script, condition string) string { // // Parameters: // - setupActionRef: The action reference for setup action (e.g., "./actions/setup" or "github/gh-aw/actions/setup@sha") -// - destination: Unused. Kept for API compatibility. The setup action defaults to /opt/gh-aw/actions. +// - destination: The destination path where files should be copied (e.g., SetupActionDestination). +// This is passed as INPUT_DESTINATION in script mode or as the destination: input in dev/release mode. // - enableCustomTokens: Whether to enable custom-token support (installs @actions/github so handler_auth.cjs can create per-handler Octokit clients) // // Returns a slice of strings representing the YAML lines for the setup step. @@ -319,23 +320,24 @@ func (c *Compiler) generateSetupStep(setupActionRef string, destination string, " - name: Setup Scripts\n", " run: |\n", " bash /tmp/gh-aw/actions-source/actions/setup/setup.sh\n", + " env:\n", + fmt.Sprintf(" INPUT_DESTINATION: %s\n", destination), } if enableCustomTokens { - lines = append(lines, " env:\n") lines = append(lines, " INPUT_SAFE_OUTPUT_CUSTOM_TOKENS: 'true'\n") } return lines } // Dev/Release mode: use the setup action. - // The destination defaults to /opt/gh-aw/actions in action.yml, which setup.sh uses - // to derive GH_AW_HOME and export it to $GITHUB_ENV for subsequent steps. + // Pass destination so callers can relocate GH_AW_HOME (e.g. on self-hosted runners). lines := []string{ " - name: Setup Scripts\n", fmt.Sprintf(" uses: %s\n", setupActionRef), + " with:\n", + fmt.Sprintf(" destination: %s\n", destination), } if enableCustomTokens { - lines = append(lines, " with:\n") lines = append(lines, " safe-output-custom-tokens: 'true'\n") } return lines diff --git a/pkg/workflow/compiler_yaml_main_job_test.go b/pkg/workflow/compiler_yaml_main_job_test.go index 62fcc97b3f..b6d376ec02 100644 --- a/pkg/workflow/compiler_yaml_main_job_test.go +++ b/pkg/workflow/compiler_yaml_main_job_test.go @@ -558,7 +558,7 @@ func TestGenerateMainJobSteps(t *testing.T) { "- name: Checkout repository", "persist-credentials: false", "- name: Create gh-aw temp directory", - "run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh", + "bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh", }, shouldError: false, }, diff --git a/pkg/workflow/copilot_installer_test.go b/pkg/workflow/copilot_installer_test.go index d86da61a18..b1292c10a9 100644 --- a/pkg/workflow/copilot_installer_test.go +++ b/pkg/workflow/copilot_installer_test.go @@ -24,7 +24,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Install GitHub Copilot CLI", expectedVersion: "0.0.369", shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh 0.0.369", + "${GH_AW_HOME}/actions/install_copilot_cli.sh 0.0.369", "name: Install GitHub Copilot CLI", }, shouldNotContain: []string{ @@ -37,7 +37,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Install GitHub Copilot CLI", expectedVersion: "v0.0.370", shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh v0.0.370", + "${GH_AW_HOME}/actions/install_copilot_cli.sh v0.0.370", }, shouldNotContain: []string{ "gh.io/copilot-install | sudo bash", @@ -49,7 +49,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Custom Install Step", expectedVersion: "1.2.3", shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh 1.2.3", + "${GH_AW_HOME}/actions/install_copilot_cli.sh 1.2.3", "name: Custom Install Step", }, shouldNotContain: []string{ @@ -62,7 +62,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { stepName: "Install GitHub Copilot CLI", expectedVersion: string(constants.DefaultCopilotVersion), // Should use DefaultCopilotVersion shouldContain: []string{ - "/opt/gh-aw/actions/install_copilot_cli.sh " + string(constants.DefaultCopilotVersion), + "${GH_AW_HOME}/actions/install_copilot_cli.sh " + string(constants.DefaultCopilotVersion), }, shouldNotContain: []string{ "gh.io/copilot-install | sudo bash", @@ -96,7 +96,7 @@ func TestGenerateCopilotInstallerSteps(t *testing.T) { } // Verify the version is correctly passed to the install script - expectedVersionLine := "/opt/gh-aw/actions/install_copilot_cli.sh " + tt.expectedVersion + expectedVersionLine := "${GH_AW_HOME}/actions/install_copilot_cli.sh " + tt.expectedVersion if !strings.Contains(stepContent, expectedVersionLine) { t.Errorf("Expected version to be set to '%s', but step content was:\n%s", tt.expectedVersion, stepContent) } @@ -133,7 +133,7 @@ func TestCopilotInstallerCustomVersion(t *testing.T) { } // Should contain the custom version - expectedVersionLine := "/opt/gh-aw/actions/install_copilot_cli.sh " + customVersion + expectedVersionLine := "${GH_AW_HOME}/actions/install_copilot_cli.sh " + customVersion if !strings.Contains(installStep, expectedVersionLine) { t.Errorf("Expected custom version %s in install step, got:\n%s", customVersion, installStep) } diff --git a/pkg/workflow/detection_success_test.go b/pkg/workflow/detection_success_test.go index b10ca9bc00..4ad9631fa0 100644 --- a/pkg/workflow/detection_success_test.go +++ b/pkg/workflow/detection_success_test.go @@ -69,7 +69,7 @@ Create an issue. } // Check that the script uses require to load the parse_threat_detection_results.cjs file - if !strings.Contains(agentSection, "require('/opt/gh-aw/actions/parse_threat_detection_results.cjs')") { + if !strings.Contains(agentSection, "require(process.env.GH_AW_HOME + '/actions/parse_threat_detection_results.cjs')") { t.Error("Parse results step doesn't use require to load parse_threat_detection_results.cjs") } diff --git a/pkg/workflow/docker_predownload_test.go b/pkg/workflow/docker_predownload_test.go index 1f5c223ff2..a3f08de4e8 100644 --- a/pkg/workflow/docker_predownload_test.go +++ b/pkg/workflow/docker_predownload_test.go @@ -166,8 +166,8 @@ Test workflow with both GitHub and Serena tools.`, // If we expect a step, verify the images are present if tt.expectStep { // Verify the script call is present - if !strings.Contains(string(yaml), "bash /opt/gh-aw/actions/download_docker_images.sh") { - t.Error("Expected to find 'bash /opt/gh-aw/actions/download_docker_images.sh' script call in generated YAML") + if !strings.Contains(string(yaml), "bash ${GH_AW_HOME}/actions/download_docker_images.sh") { + t.Error("Expected to find 'bash ${GH_AW_HOME}/actions/download_docker_images.sh' script call in generated YAML") } for _, expectedImage := range tt.expectedImages { // Check that the image is being passed as an argument to the script diff --git a/pkg/workflow/engine_helpers_shared_test.go b/pkg/workflow/engine_helpers_shared_test.go index 09d58de7e1..ab687f24eb 100644 --- a/pkg/workflow/engine_helpers_shared_test.go +++ b/pkg/workflow/engine_helpers_shared_test.go @@ -389,7 +389,7 @@ func TestRenderJSONMCPConfig(t *testing.T) { }, }, expectedContent: []string{ - "cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh", + "cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh", "\"mcpServers\": {", "\"github\": { \"test\": true },", "\"playwright\": { \"test\": true }", @@ -426,7 +426,7 @@ func TestRenderJSONMCPConfig(t *testing.T) { }, }, expectedContent: []string{ - "cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh", + "cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh", "\"github\": { \"filtered\": true }", }, unexpectedContent: []string{ diff --git a/pkg/workflow/engine_includes_test.go b/pkg/workflow/engine_includes_test.go index 543b74b339..17fea18eca 100644 --- a/pkg/workflow/engine_includes_test.go +++ b/pkg/workflow/engine_includes_test.go @@ -253,7 +253,7 @@ This should use the default engine. lockStr := string(lockContent) // Should contain references to copilot CLI (default engine) using install script wrapper - if !strings.Contains(lockStr, "/opt/gh-aw/actions/install_copilot_cli.sh") { + if !strings.Contains(lockStr, "${GH_AW_HOME}/actions/install_copilot_cli.sh") { t.Error("Expected lock file to contain copilot CLI installation using install script wrapper") } diff --git a/pkg/workflow/firewall_version_pinning_test.go b/pkg/workflow/firewall_version_pinning_test.go index e5a0539d67..eeeafc95d6 100644 --- a/pkg/workflow/firewall_version_pinning_test.go +++ b/pkg/workflow/firewall_version_pinning_test.go @@ -27,9 +27,9 @@ func TestAWFInstallationStepDefaultVersion(t *testing.T) { t.Error("Expected to call install_awf_binary.sh script") } - // Verify it uses the script from /opt/gh-aw/actions/ - if !strings.Contains(stepStr, "/opt/gh-aw/actions/install_awf_binary.sh") { - t.Error("Expected to call script from /opt/gh-aw/actions/ directory") + // Verify it uses the script from ${GH_AW_HOME}/actions/ + if !strings.Contains(stepStr, "${GH_AW_HOME}/actions/install_awf_binary.sh") { + t.Error("Expected to call script from ${GH_AW_HOME}/actions/ directory") } // Ensure it's NOT using inline bash or the old unverified installer script diff --git a/pkg/workflow/git_config_test.go b/pkg/workflow/git_config_test.go index 213b296875..393cba781e 100644 --- a/pkg/workflow/git_config_test.go +++ b/pkg/workflow/git_config_test.go @@ -201,7 +201,7 @@ func TestGitCredentialsCleanerStepsHelper(t *testing.T) { // Verify the content of the steps expectedContents := []string{ "Clean git credentials", - "run: bash /opt/gh-aw/actions/clean_git_credentials.sh", + "run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh", } fullContent := strings.Join(steps, "") diff --git a/pkg/workflow/importable_tools_test.go b/pkg/workflow/importable_tools_test.go index d1bc8396b6..60a5804703 100644 --- a/pkg/workflow/importable_tools_test.go +++ b/pkg/workflow/importable_tools_test.go @@ -240,7 +240,7 @@ Uses imported agentic-workflows tool. } // Verify binary mounts are NOT present in dev mode - if strings.Contains(workflowData, `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(workflowData, `${GH_AW_HOME}:${GH_AW_HOME}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } diff --git a/pkg/workflow/inference_access_error_test.go b/pkg/workflow/inference_access_error_test.go index 64385ab64f..c67b115738 100644 --- a/pkg/workflow/inference_access_error_test.go +++ b/pkg/workflow/inference_access_error_test.go @@ -49,7 +49,7 @@ Test workflow` } // Check that the detection step calls the shell script - if !strings.Contains(lockStr, "bash /opt/gh-aw/actions/detect_inference_access_error.sh") { + if !strings.Contains(lockStr, "bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh") { t.Error("Expected detect-inference-error step to call detect_inference_access_error.sh") } diff --git a/pkg/workflow/main_job_env_test.go b/pkg/workflow/main_job_env_test.go index db8144ac82..b506672ccc 100644 --- a/pkg/workflow/main_job_env_test.go +++ b/pkg/workflow/main_job_env_test.go @@ -21,12 +21,15 @@ func TestMainJobEnvironmentVariables(t *testing.T) { shouldHaveEnv bool }{ { - name: "No safe outputs - no env section", + name: "No safe outputs - only GH_AW_HOME set", frontmatter: map[string]any{ "name": "Test Workflow", "on": "push", }, - shouldHaveEnv: false, + expectedEnvVars: []string{ + "GH_AW_HOME: " + GhAwHomeExprDefault, + }, + shouldHaveEnv: true, }, { name: "Safe outputs with create-issue", diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go index 51515289cf..1b89772b07 100644 --- a/pkg/workflow/maintenance_workflow.go +++ b/pkg/workflow/maintenance_workflow.go @@ -235,7 +235,7 @@ jobs: yaml.WriteString(` - name: Setup Scripts uses: ` + setupActionRef + ` with: - destination: /opt/gh-aw/actions + destination: ` + SetupActionDestination + ` - name: Close expired discussions uses: ` + GetActionPin("actions/github-script") + ` @@ -244,9 +244,9 @@ jobs: `) // Add the close expired discussions script using require() - yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs'); + const { main } = require(` + JsRequireGhAw("actions/close_expired_discussions.cjs") + `); await main(); - name: Close expired issues @@ -256,9 +256,9 @@ jobs: `) // Add the close expired issues script using require() - yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs'); + const { main } = require(` + JsRequireGhAw("actions/close_expired_issues.cjs") + `); await main(); - name: Close expired pull requests @@ -268,9 +268,9 @@ jobs: `) // Add the close expired pull requests script using require() - yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/close_expired_pull_requests.cjs'); + const { main } = require(` + JsRequireGhAw("actions/close_expired_pull_requests.cjs") + `); await main(); `) @@ -292,16 +292,16 @@ jobs: - name: Setup Scripts uses: ` + setupActionRef + ` with: - destination: /opt/gh-aw/actions + destination: ` + SetupActionDestination + ` - name: Check admin/maintainer permissions uses: ` + GetActionPin("actions/github-script") + ` with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_team_member.cjs'); + const { main } = require(` + JsRequireGhAw("actions/check_team_member.cjs") + `); await main(); `) @@ -316,9 +316,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/run_operation_update_upgrade.cjs'); + const { main } = require(` + JsRequireGhAw("actions/run_operation_update_upgrade.cjs") + `); await main(); `) @@ -354,15 +354,15 @@ jobs: - name: Setup Scripts uses: ` + setupActionRef + ` with: - destination: /opt/gh-aw/actions + destination: ` + SetupActionDestination + ` - name: Check for out-of-sync workflows and create issue if needed uses: ` + GetActionPin("actions/github-script") + ` with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_recompile_needed.cjs'); + const { main } = require(` + JsRequireGhAw("actions/check_workflow_recompile_needed.cjs") + `); await main(); zizmor-scan: @@ -417,7 +417,7 @@ jobs: - name: Setup Scripts uses: ` + setupActionRef + ` with: - destination: /opt/gh-aw/actions + destination: ` + SetupActionDestination + ` - name: Validate Secrets uses: ` + GetActionPin("actions/github-script") + ` @@ -435,9 +435,9 @@ jobs: NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(` + JsRequireGhAw("actions/setup_globals.cjs") + `); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/validate_secrets.cjs'); + const { main } = require(` + JsRequireGhAw("actions/validate_secrets.cjs") + `); await main(); - name: Upload secret validation report diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index abc6cd6c59..66ba0a847a 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -487,7 +487,7 @@ This workflow tests that agentic-workflows uses the correct container in dev mod } // Verify binary mounts are NOT present in dev mode - if strings.Contains(string(lockContent), `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(string(lockContent), `${GH_AW_HOME}:${GH_AW_HOME}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } if strings.Contains(string(lockContent), `/usr/bin/gh:/usr/bin/gh:ro`) { diff --git a/pkg/workflow/mcp_config_refactor_test.go b/pkg/workflow/mcp_config_refactor_test.go index cfa8bc6df6..1a315b2a4a 100644 --- a/pkg/workflow/mcp_config_refactor_test.go +++ b/pkg/workflow/mcp_config_refactor_test.go @@ -115,10 +115,10 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { }, unexpectedContent: []string{ `--cmd`, - `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT - `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD - `/opt/gh-aw:/opt/gh-aw:ro`, // Not needed in dev mode - binary is in image - `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image + `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT + `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD + `\${GH_AW_HOME}:\${GH_AW_HOME}:ro`, // Not needed in dev mode - binary is in image + `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image `${{ secrets.`, `"command":`, // Should NOT use command - must use container }, @@ -132,9 +132,9 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { `"agenticworkflows": {`, `"type": "stdio"`, `"container": "alpine:latest"`, - `"entrypoint": "/opt/gh-aw/gh-aw"`, + `"entrypoint": "${GH_AW_HOME}/gh-aw"`, `"entrypointArgs": ["mcp-server", "--validate-actor"]`, - `"/opt/gh-aw:/opt/gh-aw:ro"`, // gh-aw binary mount (read-only) + `"\${GH_AW_HOME}:\${GH_AW_HOME}:ro"`, // gh-aw binary mount (read-only) `"/usr/bin/gh:/usr/bin/gh:ro"`, // gh CLI binary mount (read-only) `"\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"`, // workspace mount (read-write) `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount (read-write) @@ -171,10 +171,10 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) { `"type"`, `\\${`, `--cmd`, - `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT - `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD - `/opt/gh-aw:/opt/gh-aw:ro`, // Not needed in dev mode - binary is in image - `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image + `"entrypoint"`, // Not needed in dev mode - uses container's ENTRYPOINT + `"entrypointArgs"`, // Not needed in dev mode - uses container's CMD + `\${GH_AW_HOME}:\${GH_AW_HOME}:ro`, // Not needed in dev mode - binary is in image + `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode - gh CLI is in image // Verify GitHub expressions are NOT in the output (security fix) `${{ secrets.`, `"command":`, // Should NOT use command - must use container @@ -231,7 +231,7 @@ func TestRenderSafeOutputsMCPConfigTOML(t *testing.T) { unexpectedContent := []string{ `container = "node:lts-alpine"`, `entrypoint = "node"`, - `entrypointArgs = ["/opt/gh-aw/safeoutputs/mcp-server.cjs"]`, + `entrypointArgs = ["${GH_AW_HOME}/safeoutputs/mcp-server.cjs"]`, `mounts =`, `env_vars =`, `stdio`, @@ -322,10 +322,10 @@ func TestRenderAgenticWorkflowsMCPConfigTOML(t *testing.T) { }, unexpectedContent: []string{ `--cmd`, - `entrypoint =`, // Not needed in dev mode - uses container's ENTRYPOINT - `entrypointArgs =`, // Not needed in dev mode - uses container's CMD - `/opt/gh-aw:/opt/gh-aw:ro`, // Not needed in dev mode - `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode + `entrypoint =`, // Not needed in dev mode - uses container's ENTRYPOINT + `entrypointArgs =`, // Not needed in dev mode - uses container's CMD + `\${GH_AW_HOME}:\${GH_AW_HOME}:ro`, // Not needed in dev mode + `/usr/bin/gh:/usr/bin/gh:ro`, // Not needed in dev mode }, }, { @@ -334,9 +334,9 @@ func TestRenderAgenticWorkflowsMCPConfigTOML(t *testing.T) { expectedContainer: `container = "alpine:latest"`, shouldHaveEntrypoint: true, expectedMounts: []string{ - `entrypoint = "/opt/gh-aw/gh-aw"`, // Entrypoint needed in release mode + `entrypoint = "${GH_AW_HOME}/gh-aw"`, // Entrypoint needed in release mode `entrypointArgs = ["mcp-server", "--validate-actor"]`, // EntrypointArgs needed in release mode with validate-actor flag - `"/opt/gh-aw:/opt/gh-aw:ro"`, // gh-aw binary mount + `"\${GH_AW_HOME}:\${GH_AW_HOME}:ro"`, // gh-aw binary mount `"/usr/bin/gh:/usr/bin/gh:ro"`, // gh CLI binary mount `"\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"`, // workspace mount `"/tmp/gh-aw:/tmp/gh-aw:rw"`, // temp directory mount diff --git a/pkg/workflow/mcp_renderer_test.go b/pkg/workflow/mcp_renderer_test.go index 3a6432b640..cac354e62f 100644 --- a/pkg/workflow/mcp_renderer_test.go +++ b/pkg/workflow/mcp_renderer_test.go @@ -200,7 +200,7 @@ func TestRenderAgenticWorkflowsMCP_JSON_Copilot(t *testing.T) { t.Error("Did not expect entrypointArgs field in dev mode (uses container's CMD)") } // In dev mode, should NOT have binary mounts - if strings.Contains(output, `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(output, `${GH_AW_HOME}:${GH_AW_HOME}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } if strings.Contains(output, `/usr/bin/gh:/usr/bin/gh:ro`) { @@ -274,7 +274,7 @@ func TestRenderAgenticWorkflowsMCP_TOML(t *testing.T) { t.Error("Did not expect entrypointArgs field in dev mode (uses container's CMD)") } // In dev mode, should NOT have binary mounts - if strings.Contains(output, `/opt/gh-aw:/opt/gh-aw:ro`) { + if strings.Contains(output, `${GH_AW_HOME}:${GH_AW_HOME}:ro`) { t.Error("Did not expect /opt/gh-aw mount in dev mode (binary is in image)") } if strings.Contains(output, `/usr/bin/gh:/usr/bin/gh:ro`) { diff --git a/pkg/workflow/mcp_scripts_generator_test.go b/pkg/workflow/mcp_scripts_generator_test.go index 45de357950..c5b15f510e 100644 --- a/pkg/workflow/mcp_scripts_generator_test.go +++ b/pkg/workflow/mcp_scripts_generator_test.go @@ -77,7 +77,7 @@ func TestGenerateMCPScriptsMCPServerScript(t *testing.T) { t.Error("Script should reference tools.json configuration file") } - if !strings.Contains(script, "/opt/gh-aw/mcp-scripts/logs") { + if !strings.Contains(script, "/mcp-scripts/logs") { t.Error("Script should specify log directory") } diff --git a/pkg/workflow/mcp_scripts_http_codex_test.go b/pkg/workflow/mcp_scripts_http_codex_test.go index b4ec8731e9..0a2c4b59c1 100644 --- a/pkg/workflow/mcp_scripts_http_codex_test.go +++ b/pkg/workflow/mcp_scripts_http_codex_test.go @@ -90,7 +90,7 @@ Test mcp-scripts HTTP transport for Codex t.Error("Codex config should not use stdio transport (command = 'node'), should use HTTP") } - if strings.Contains(codexConfigSection, `args = [`) && strings.Contains(codexConfigSection, `/opt/gh-aw/mcp-scripts/mcp-server.cjs`) { + if strings.Contains(codexConfigSection, `args = [`) && strings.Contains(codexConfigSection, `${GH_AW_HOME}/mcp-scripts/mcp-server.cjs`) { t.Error("Codex config should not use stdio transport with mcp-server.cjs args, should use HTTP") } diff --git a/pkg/workflow/mcp_scripts_mode_test.go b/pkg/workflow/mcp_scripts_mode_test.go index 832550141c..7f3472975b 100644 --- a/pkg/workflow/mcp_scripts_mode_test.go +++ b/pkg/workflow/mcp_scripts_mode_test.go @@ -117,7 +117,7 @@ Test mcp-scripts HTTP mode // extractMCPServerEntryPoint extracts the mcp-server.cjs entry point script from the YAML func extractMCPServerEntryPoint(yamlStr string) string { // Find the mcp-server.cjs section - start := strings.Index(yamlStr, "cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs") + start := strings.Index(yamlStr, "cat > ${GH_AW_HOME}/mcp-scripts/mcp-server.cjs") if start == -1 { return "" } diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go index 63b917607d..f9ca4fef15 100644 --- a/pkg/workflow/notify_comment.go +++ b/pkg/workflow/notify_comment.go @@ -430,7 +430,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa Environment: c.indentYAMLLines(resolveSafeOutputsEnvironment(data), " "), Permissions: permissions.RenderToYAML(), Concurrency: concurrency, - Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, + Env: map[string]string{"GH_AW_HOME": GhAwHomeExprDefault}, Steps: steps, Needs: needs, Outputs: outputs, diff --git a/pkg/workflow/pr_checkout_test.go b/pkg/workflow/pr_checkout_test.go index 22ca2c6d49..497f8ac7f7 100644 --- a/pkg/workflow/pr_checkout_test.go +++ b/pkg/workflow/pr_checkout_test.go @@ -207,7 +207,7 @@ Test workflow with permissions but checkout should be conditional. } // Check for PR context prompt using cat command - hasPRPrompt := strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") + hasPRPrompt := strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/pr_context_prompt.md\"") if hasPRPrompt != tt.expectPRPrompt { t.Errorf("Expected PR context prompt: %v, got: %v", tt.expectPRPrompt, hasPRPrompt) } @@ -228,7 +228,7 @@ Test workflow with permissions but checkout should be conditional. // If PR prompt is expected, verify the cat command references the correct file if tt.expectPRPrompt { - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/pr_context_prompt.md\"") { t.Error("PR context prompt should reference pr_context_prompt.md file") } } diff --git a/pkg/workflow/prompts_test.go b/pkg/workflow/prompts_test.go index f560c671d4..115cb4e1ed 100644 --- a/pkg/workflow/prompts_test.go +++ b/pkg/workflow/prompts_test.go @@ -227,8 +227,8 @@ This is a test workflow with cache-memory enabled. } // Test 3: Verify the template file is used (not inline text) - if !strings.Contains(lockStr, "/opt/gh-aw/prompts/cache_memory_prompt.md") { - t.Error("Expected '/opt/gh-aw/prompts/cache_memory_prompt.md' reference in generated workflow") + if !strings.Contains(lockStr, "${GH_AW_HOME}/prompts/cache_memory_prompt.md") { + t.Error("Expected '${GH_AW_HOME}/prompts/cache_memory_prompt.md' reference in generated workflow") } // Test 4: Verify the instruction mentions persistent cache @@ -412,7 +412,7 @@ This is a test workflow with playwright enabled. } // Test 2: Verify the cat command for playwright prompt file is included - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/playwright_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/playwright_prompt.md\"") { t.Error("Expected cat command for playwright prompt file in generated workflow") } @@ -589,7 +589,7 @@ This is a test workflow with issue_comment trigger. } // Test 2: Verify the cat command for PR context prompt file is included - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/pr_context_prompt.md\"") { t.Error("Expected cat command for PR context prompt file in generated workflow") } diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index d0f4eb9e45..11b3ed4c42 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -713,7 +713,7 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna If: jobCondition, Permissions: "permissions:\n contents: write", Concurrency: concurrency, - Env: map[string]string{"GH_AW_HOME": constants.GhAwHomeDefault}, + Env: map[string]string{"GH_AW_HOME": GhAwHomeExprDefault}, Needs: []string{"agent"}, // Detection dependency added by caller if needed Steps: steps, Outputs: outputs, diff --git a/pkg/workflow/repo_memory_integration_test.go b/pkg/workflow/repo_memory_integration_test.go index 0a977810ff..c79c634917 100644 --- a/pkg/workflow/repo_memory_integration_test.go +++ b/pkg/workflow/repo_memory_integration_test.go @@ -243,7 +243,7 @@ This workflow has file validation. } // Check that push_repo_memory.cjs is being required (not inlined) - if !strings.Contains(lockFile, "require('/opt/gh-aw/actions/push_repo_memory.cjs')") { + if !strings.Contains(lockFile, "require(process.env.GH_AW_HOME + '/actions/push_repo_memory.cjs')") { t.Error("Expected push_repo_memory script to be loaded via require") } @@ -360,7 +360,7 @@ This workflow tests GitHub Enterprise support. } // Check for the shell script that uses GITHUB_SERVER_URL - if !strings.Contains(lockFile, "bash /opt/gh-aw/actions/clone_repo_memory_branch.sh") { + if !strings.Contains(lockFile, "bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh") { t.Error("Expected clone_repo_memory_branch.sh script invocation") } } diff --git a/pkg/workflow/repo_memory_test.go b/pkg/workflow/repo_memory_test.go index 85658f8551..efc8953178 100644 --- a/pkg/workflow/repo_memory_test.go +++ b/pkg/workflow/repo_memory_test.go @@ -222,7 +222,7 @@ func TestRepoMemoryStepsGeneration(t *testing.T) { } // Check for script call - if !strings.Contains(output, "bash /opt/gh-aw/actions/clone_repo_memory_branch.sh") { + if !strings.Contains(output, "bash ${GH_AW_HOME}/actions/clone_repo_memory_branch.sh") { t.Error("Expected clone_repo_memory_branch.sh script call") } diff --git a/pkg/workflow/safe_outputs_mcp_integration_test.go b/pkg/workflow/safe_outputs_mcp_integration_test.go index 2a68100a14..5c5e519690 100644 --- a/pkg/workflow/safe_outputs_mcp_integration_test.go +++ b/pkg/workflow/safe_outputs_mcp_integration_test.go @@ -53,7 +53,7 @@ Test safe outputs workflow with MCP server integration. // So we don't check for cat command anymore, we just check the MCP config references it // Check that safe-outputs configuration file is written - if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to be written to config.json file") } @@ -73,7 +73,7 @@ Test safe outputs workflow with MCP server integration. } // Check that config file is created - if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected config file to be created") } @@ -118,7 +118,7 @@ Test workflow without safe outputs. // The check is now redundant since we removed the cat command entirely // Check that safe-outputs configuration file is NOT written - if strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to NOT be written when safe-outputs are disabled") } @@ -171,7 +171,7 @@ Test safe outputs workflow with Codex engine. // So we don't check for cat command anymore // Check that safe-outputs configuration file is written - if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > ${GH_AW_HOME}/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to be written to config.json file") } diff --git a/pkg/workflow/secret_validation_test.go b/pkg/workflow/secret_validation_test.go index 91505e2caa..5a19fa3e3d 100644 --- a/pkg/workflow/secret_validation_test.go +++ b/pkg/workflow/secret_validation_test.go @@ -23,7 +23,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { docsURL: "https://github.github.com/gh-aw/reference/engines/#openai-codex", wantStrings: []string{ "Validate CODEX_API_KEY or OPENAI_API_KEY secret", - "run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex", + "run: ${GH_AW_HOME}/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.com/gh-aw/reference/engines/#openai-codex", "CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }}", "OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}", }, @@ -35,7 +35,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { docsURL: "https://github.github.com/gh-aw/reference/engines/#github-copilot-default", wantStrings: []string{ "Validate COPILOT_GITHUB_TOKEN secret", - "run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default", + "run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default", "COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}", }, }, @@ -46,7 +46,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { docsURL: "https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code", wantStrings: []string{ "Validate ANTHROPIC_API_KEY secret", - "run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code", + "run: ${GH_AW_HOME}/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code", "ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}", }, }, @@ -64,7 +64,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { } // Verify it calls the validate_multi_secret.sh script - if !strings.Contains(stepContent, "/opt/gh-aw/actions/validate_multi_secret.sh") { + if !strings.Contains(stepContent, "${GH_AW_HOME}/actions/validate_multi_secret.sh") { t.Error("Expected step to call validate_multi_secret.sh script") } @@ -151,7 +151,7 @@ func TestCodexEngineHasSecretValidation(t *testing.T) { } // Should call the validate_multi_secret.sh script with both secret names - if !strings.Contains(stepContent, "/opt/gh-aw/actions/validate_multi_secret.sh") { + if !strings.Contains(stepContent, "${GH_AW_HOME}/actions/validate_multi_secret.sh") { t.Error("Should call validate_multi_secret.sh script") } if !strings.Contains(stepContent, "CODEX_API_KEY OPENAI_API_KEY") { diff --git a/pkg/workflow/setup_action_paths.go b/pkg/workflow/setup_action_paths.go index e9271e766c..62b37dea73 100644 --- a/pkg/workflow/setup_action_paths.go +++ b/pkg/workflow/setup_action_paths.go @@ -17,10 +17,16 @@ const GhAwHomeJS = "process.env.GH_AW_HOME" // GitHub Actions evaluates ${{ env.VAR }} before passing values to steps. const GhAwHomeExpr = "${{ env.GH_AW_HOME }}" +// GhAwHomeExprDefault is the GitHub Actions expression for GH_AW_HOME with a fallback. +// Use this in job-level env: blocks so callers can override GH_AW_HOME via +// workflow-level or repository-level env, while defaulting to GhAwHomeDefault. +const GhAwHomeExprDefault = "${{ env.GH_AW_HOME || '/opt/gh-aw' }}" + // SetupActionDestination is the path where the setup action copies script files // on the agent runner (e.g. /opt/gh-aw/actions). -// This is a shell expression expanded at runtime. -const SetupActionDestination = GhAwHome + "/actions" +// Uses GitHub Actions expression syntax so the value is resolved before being passed +// to setup.sh (via INPUT_DESTINATION in script mode, or destination: in dev/release mode). +const SetupActionDestination = GhAwHomeExpr + "/actions" // JsRequireGhAw generates a JavaScript require() argument expression for a file // under GH_AW_HOME. The relativePath should be like "actions/foo.cjs". diff --git a/pkg/workflow/step_order_validation_integration_test.go b/pkg/workflow/step_order_validation_integration_test.go index 87a948d85b..f0502eb833 100644 --- a/pkg/workflow/step_order_validation_integration_test.go +++ b/pkg/workflow/step_order_validation_integration_test.go @@ -174,7 +174,7 @@ This workflow uploads artifacts. // Verify common upload paths are present and under /tmp/gh-aw/ or /opt/gh-aw/ uploadPaths := []string{ - "/opt/gh-aw/safeoutputs/outputs.jsonl", + "${GH_AW_HOME}/safeoutputs/outputs.jsonl", "/tmp/gh-aw/agent-stdio.log", "/tmp/gh-aw/mcp-logs/", } diff --git a/pkg/workflow/step_order_validation_test.go b/pkg/workflow/step_order_validation_test.go index bae1f3db3e..7bcc2d24ea 100644 --- a/pkg/workflow/step_order_validation_test.go +++ b/pkg/workflow/step_order_validation_test.go @@ -110,7 +110,7 @@ func TestIsPathScannedBySecretRedaction_ScannableFiles(t *testing.T) { }, { name: "JSONL file in /opt/gh-aw/", - path: "/opt/gh-aw/safeoutputs/outputs.jsonl", + path: "${GH_AW_HOME}/safeoutputs/outputs.jsonl", expected: true, }, { diff --git a/pkg/workflow/step_summary_test.go b/pkg/workflow/step_summary_test.go index e25842be68..e5db984dd1 100644 --- a/pkg/workflow/step_summary_test.go +++ b/pkg/workflow/step_summary_test.go @@ -134,7 +134,7 @@ This workflow tests that the step summary includes agentic run information. } // Verify that the generate_aw_info.cjs helper is invoked from the step - if !strings.Contains(lockContent, "require('/opt/gh-aw/actions/generate_aw_info.cjs')") { + if !strings.Contains(lockContent, "require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs')") { t.Error("Expected generate_aw_info.cjs require call in 'Generate agentic run info' step") } @@ -240,7 +240,7 @@ This workflow tests the workflow overview for Claude engine. } // Verify workflow overview call is present in the generate_aw_info step - if !strings.Contains(lockContent, "require('/opt/gh-aw/actions/generate_aw_info.cjs')") { + if !strings.Contains(lockContent, "require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs')") { t.Error("Expected generate_aw_info.cjs require call inside 'Generate agentic run info' step") } diff --git a/pkg/workflow/temp_folder_test.go b/pkg/workflow/temp_folder_test.go index 0649b15cea..2585c328b6 100644 --- a/pkg/workflow/temp_folder_test.go +++ b/pkg/workflow/temp_folder_test.go @@ -56,7 +56,7 @@ This is a test workflow to verify temp folder instructions are included. } // Test 2: Verify the cat command for temp folder prompt file is included - if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/temp_folder_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"${GH_AW_HOME}/prompts/temp_folder_prompt.md\"") { t.Error("Expected cat command for temp folder prompt file in generated workflow") } diff --git a/pkg/workflow/template_injection_validation_test.go b/pkg/workflow/template_injection_validation_test.go index ead5484da0..287a340f93 100644 --- a/pkg/workflow/template_injection_validation_test.go +++ b/pkg/workflow/template_injection_validation_test.go @@ -75,7 +75,7 @@ func TestValidateNoTemplateInjection(t *testing.T) { steps: - name: Unsafe usage run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh ${{ steps.start-mcp-gateway.outputs.gateway-pid }}`, + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh ${{ steps.start-mcp-gateway.outputs.gateway-pid }}`, shouldError: true, errorString: "steps.*.outputs", }, @@ -368,7 +368,7 @@ func TestTemplateInjectionRealWorldPatterns(t *testing.T) { MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh ${{ steps.start-mcp-gateway.outputs.gateway-pid }}` + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh ${{ steps.start-mcp-gateway.outputs.gateway-pid }}` err := validateNoTemplateInjection(yaml) require.Error(t, err, "Should detect unsafe gateway-pid usage in run command") @@ -390,7 +390,7 @@ func TestTemplateInjectionRealWorldPatterns(t *testing.T) { MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"` + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID"` err := validateNoTemplateInjection(yaml) assert.NoError(t, err, "Should pass with gateway-pid in env variable") diff --git a/pkg/workflow/template_rendering_test.go b/pkg/workflow/template_rendering_test.go index d3d003a6d6..ddbafb8b90 100644 --- a/pkg/workflow/template_rendering_test.go +++ b/pkg/workflow/template_rendering_test.go @@ -118,7 +118,7 @@ Normal content here. } // Verify the setupGlobals helper is used - if !strings.Contains(compiledStr, "const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs')") { + if !strings.Contains(compiledStr, "const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs')") { t.Error("Template rendering step should use setupGlobals helper") } @@ -127,7 +127,7 @@ Normal content here. } // Verify the interpolate_prompt script is loaded via require - if !strings.Contains(compiledStr, "const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs')") { + if !strings.Contains(compiledStr, "const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs')") { t.Error("Template rendering step should require interpolate_prompt.cjs") } diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden index 67620dffb2..0893a840cb 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -32,7 +32,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -54,11 +54,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -76,9 +76,9 @@ jobs: GH_AW_WORKFLOW_FILE: "basic-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -92,14 +92,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -146,9 +146,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -165,10 +165,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -188,11 +188,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -209,6 +209,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: basiccopilot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -225,13 +226,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -254,14 +259,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -270,10 +275,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -298,7 +303,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -326,7 +331,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -362,7 +367,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -400,15 +405,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -418,7 +423,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -426,18 +431,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -488,7 +493,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -497,8 +502,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 9f5d2f5b57..4518a6142d 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -46,7 +46,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -68,11 +68,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -90,18 +90,18 @@ jobs: GH_AW_WORKFLOW_FILE: "smoke-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -116,15 +116,15 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/playwright_prompt.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/playwright_prompt.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -228,9 +228,9 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -248,10 +248,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -272,11 +272,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -297,6 +297,7 @@ jobs: issues: read pull-requests: read env: + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: smokecopilot outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -313,7 +314,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -356,7 +357,11 @@ jobs: - name: Capture GOROOT for AWF chroot mode run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -379,14 +384,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -395,10 +400,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -413,12 +418,12 @@ jobs: fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization - mkdir -p /opt/gh-aw + mkdir -p ${GH_AW_HOME} GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then - cp "$GH_AW_BIN" /opt/gh-aw/gh-aw - chmod +x /opt/gh-aw/gh-aw - echo "Copied gh-aw binary to /opt/gh-aw/gh-aw" + cp "$GH_AW_BIN" ${GH_AW_HOME}/gh-aw + chmod +x ${GH_AW_HOME}/gh-aw + echo "Copied gh-aw binary to ${GH_AW_HOME}/gh-aw" else echo "::error::Failed to find gh-aw binary for MCP server" exit 1 @@ -449,7 +454,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "agenticworkflows": { @@ -504,7 +509,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -540,7 +545,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -578,15 +583,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -596,7 +601,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -604,18 +609,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -666,7 +671,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -675,8 +680,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden index 238590dd5e..bfacfdd185 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden @@ -32,7 +32,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Generate agentic run info id: generate_aw_info env: @@ -54,11 +54,11 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${GH_AW_HOME}/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -76,9 +76,9 @@ jobs: GH_AW_WORKFLOW_FILE: "with-imports.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Create prompt with built-in context env: @@ -92,14 +92,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${GH_AW_HOME}/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" + cat "${GH_AW_HOME}/prompts/xpia.md" + cat "${GH_AW_HOME}/prompts/temp_folder_prompt.md" + cat "${GH_AW_HOME}/prompts/markdown.md" cat << 'GH_AW_PROMPT_EOF' The following GitHub context information is available for this workflow: @@ -149,9 +149,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -168,10 +168,10 @@ jobs: GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require(process.env.GH_AW_HOME + '/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -191,11 +191,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${GH_AW_HOME}/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${GH_AW_HOME}/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -212,6 +212,7 @@ jobs: permissions: contents: read env: + GH_AW_HOME: ${{ env.GH_AW_HOME || '/opt/gh-aw' }} GH_AW_WORKFLOW_ID_SANITIZED: withimports outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -228,13 +229,17 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: | + bash ${GH_AW_HOME}/actions/create_gh_aw_tmp_dir.sh + echo "GH_AW_SAFE_OUTPUTS=${GH_AW_HOME}/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${GH_AW_HOME}/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${GH_AW_HOME}/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -257,14 +262,14 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${GH_AW_HOME}/actions/install_copilot_cli.sh latest - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -273,10 +278,10 @@ jobs: GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} with: script: | - const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -301,7 +306,7 @@ jobs: export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -329,7 +334,7 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + run: bash ${GH_AW_HOME}/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -365,7 +370,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${GH_AW_HOME}/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -403,15 +408,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${GH_AW_HOME}/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -421,7 +426,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${GH_AW_HOME}/actions/append_agent_step_summary.sh - name: Parse agent logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -429,18 +434,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -491,7 +496,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /opt/gh-aw/actions + destination: ${{ env.GH_AW_HOME }}/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -500,8 +505,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require(process.env.GH_AW_HOME + '/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + const { main } = require(process.env.GH_AW_HOME + '/actions/check_membership.cjs'); await main(); diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 1bc30954d9..ca7d51ae07 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -621,7 +621,7 @@ func TestSetupScriptReferencesPromptFile(t *testing.T) { script := compiler.buildSetupScriptRequire() // Verify the script uses require to load setup_threat_detection.cjs - if !strings.Contains(script, "require('"+SetupActionDestination+"/setup_threat_detection.cjs')") { + if !strings.Contains(script, "require("+JsRequireGhAw("actions/setup_threat_detection.cjs")+")") { t.Error("Expected setup script to require setup_threat_detection.cjs") } From e1eddb98f5fed55253931552c81a55a2e989d06c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 14 Mar 2026 14:02:23 +0000 Subject: [PATCH 6/6] chore: merge main and recompile all 173 workflow lock files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .changeset/1773446645-configure-gh-for-ghe.md | 5 + ...atch-disable-safe-outputs-http-timeouts.md | 5 + .changeset/patch-fix-ghes-pr-creation.md | 5 + .changeset/patch-update-mcpg-v0-1-15.md | 5 + .github/aw/github-agentic-workflows.md | 50 ++++++- .github/workflows/ace-editor.lock.yml | 4 +- .../agent-performance-analyzer.lock.yml | 4 +- .../workflows/agent-persona-explorer.lock.yml | 4 +- .github/workflows/ai-moderator.lock.yml | 4 +- .github/workflows/archie.lock.yml | 4 +- .github/workflows/artifacts-summary.lock.yml | 4 +- .github/workflows/audit-workflows.lock.yml | 4 +- .github/workflows/auto-triage-issues.lock.yml | 4 +- .github/workflows/blog-auditor.lock.yml | 4 +- .github/workflows/bot-detection.lock.yml | 4 +- .github/workflows/brave.lock.yml | 4 +- .../breaking-change-checker.lock.yml | 4 +- .github/workflows/changeset.lock.yml | 4 +- .../workflows/chroma-issue-indexer.lock.yml | 4 +- .github/workflows/ci-coach.lock.yml | 4 +- .github/workflows/ci-doctor.lock.yml | 4 +- .../claude-code-user-docs-review.lock.yml | 4 +- .../cli-consistency-checker.lock.yml | 4 +- .../workflows/cli-version-checker.lock.yml | 4 +- .github/workflows/cloclo.lock.yml | 4 +- .../workflows/code-scanning-fixer.lock.yml | 4 +- .github/workflows/code-simplifier.lock.yml | 4 +- .../codex-github-remote-mcp-test.lock.yml | 4 +- .../commit-changes-analyzer.lock.yml | 4 +- .../constraint-solving-potd.lock.yml | 4 +- .github/workflows/contribution-check.lock.yml | 4 +- .../workflows/copilot-agent-analysis.lock.yml | 4 +- .../copilot-cli-deep-research.lock.yml | 4 +- .../copilot-pr-merged-report.lock.yml | 4 +- .../copilot-pr-nlp-analysis.lock.yml | 4 +- .../copilot-pr-prompt-analysis.lock.yml | 4 +- .../copilot-session-insights.lock.yml | 4 +- .github/workflows/craft.lock.yml | 4 +- .../daily-architecture-diagram.lock.yml | 4 +- .../daily-assign-issue-to-user.lock.yml | 4 +- .github/workflows/daily-choice-test.lock.yml | 4 +- .../workflows/daily-cli-performance.lock.yml | 4 +- .../workflows/daily-cli-tools-tester.lock.yml | 4 +- .github/workflows/daily-code-metrics.lock.yml | 4 +- .../workflows/daily-compiler-quality.lock.yml | 4 +- .../daily-copilot-token-report.lock.yml | 4 +- .github/workflows/daily-doc-healer.lock.yml | 4 +- .github/workflows/daily-doc-updater.lock.yml | 4 +- .github/workflows/daily-fact.lock.yml | 4 +- .github/workflows/daily-file-diet.lock.yml | 4 +- .../workflows/daily-firewall-report.lock.yml | 4 +- .../workflows/daily-function-namer.lock.yml | 4 +- .../workflows/daily-issues-report.lock.yml | 4 +- .../daily-malicious-code-scan.lock.yml | 4 +- .../daily-mcp-concurrency-analysis.lock.yml | 4 +- .../daily-multi-device-docs-tester.lock.yml | 4 +- .github/workflows/daily-news.lock.yml | 4 +- .../daily-observability-report.lock.yml | 4 +- .../daily-performance-summary.lock.yml | 4 +- .github/workflows/daily-regulatory.lock.yml | 4 +- .../daily-rendering-scripts-verifier.lock.yml | 4 +- .../workflows/daily-repo-chronicle.lock.yml | 4 +- .../daily-safe-output-optimizer.lock.yml | 4 +- .../daily-safe-outputs-conformance.lock.yml | 4 +- .../workflows/daily-secrets-analysis.lock.yml | 4 +- .../daily-security-red-team.lock.yml | 4 +- .github/workflows/daily-semgrep-scan.lock.yml | 4 +- .../daily-syntax-error-quality.lock.yml | 4 +- .../daily-team-evolution-insights.lock.yml | 4 +- .github/workflows/daily-team-status.lock.yml | 4 +- .../daily-testify-uber-super-expert.lock.yml | 4 +- .../workflows/daily-workflow-updater.lock.yml | 4 +- .github/workflows/dead-code-remover.lock.yml | 4 +- .github/workflows/deep-report.lock.yml | 4 +- .github/workflows/delight.lock.yml | 4 +- .github/workflows/dependabot-burner.lock.yml | 4 +- .../workflows/dependabot-go-checker.lock.yml | 4 +- .github/workflows/dev-hawk.lock.yml | 4 +- .github/workflows/dev.lock.yml | 4 +- .../developer-docs-consolidator.lock.yml | 4 +- .github/workflows/dictation-prompt.lock.yml | 4 +- .../workflows/discussion-task-miner.lock.yml | 4 +- .github/workflows/docs-noob-tester.lock.yml | 4 +- .github/workflows/draft-pr-cleanup.lock.yml | 24 +++- .../duplicate-code-detector.lock.yml | 4 +- .../example-permissions-warning.lock.yml | 4 +- .../example-workflow-analyzer.lock.yml | 4 +- .github/workflows/firewall-escape.lock.yml | 4 +- .github/workflows/firewall.lock.yml | 4 +- .../workflows/functional-pragmatist.lock.yml | 4 +- .../github-mcp-structural-analysis.lock.yml | 4 +- .../github-mcp-tools-report.lock.yml | 4 +- .../github-remote-mcp-auth-test.lock.yml | 4 +- .../workflows/glossary-maintainer.lock.yml | 4 +- .github/workflows/go-fan.lock.yml | 4 +- .github/workflows/go-logger.lock.yml | 4 +- .../workflows/go-pattern-detector.lock.yml | 4 +- .github/workflows/gpclean.lock.yml | 4 +- .github/workflows/grumpy-reviewer.lock.yml | 4 +- .github/workflows/hourly-ci-cleaner.lock.yml | 4 +- .../workflows/instructions-janitor.lock.yml | 4 +- .github/workflows/issue-arborist.lock.yml | 4 +- .github/workflows/issue-monster.lock.yml | 4 +- .github/workflows/issue-triage-agent.lock.yml | 4 +- .github/workflows/jsweep.lock.yml | 4 +- .../workflows/layout-spec-maintainer.lock.yml | 4 +- .github/workflows/lockfile-stats.lock.yml | 4 +- .github/workflows/mcp-inspector.lock.yml | 4 +- .github/workflows/mergefest.lock.yml | 4 +- .github/workflows/metrics-collector.lock.yml | 4 +- .../workflows/notion-issue-summary.lock.yml | 4 +- .github/workflows/org-health-report.lock.yml | 4 +- .github/workflows/pdf-summary.lock.yml | 4 +- .github/workflows/plan.lock.yml | 4 +- .github/workflows/poem-bot.lock.yml | 24 +++- .github/workflows/portfolio-analyst.lock.yml | 4 +- .../workflows/pr-nitpick-reviewer.lock.yml | 4 +- .github/workflows/pr-triage-agent.lock.yml | 4 +- .../prompt-clustering-analysis.lock.yml | 4 +- .github/workflows/python-data-charts.lock.yml | 4 +- .github/workflows/q.lock.yml | 4 +- .github/workflows/refiner.lock.yml | 4 +- .github/workflows/release.lock.yml | 4 +- .../workflows/repo-audit-analyzer.lock.yml | 4 +- .github/workflows/repo-tree-map.lock.yml | 4 +- .../repository-quality-improver.lock.yml | 4 +- .github/workflows/research.lock.yml | 4 +- .github/workflows/safe-output-health.lock.yml | 4 +- .../schema-consistency-checker.lock.yml | 4 +- .github/workflows/scout.lock.yml | 4 +- ...ecurity-alert-burndown.campaign.g.lock.yml | 4 +- .../workflows/security-compliance.lock.yml | 4 +- .github/workflows/security-review.lock.yml | 4 +- .../semantic-function-refactor.lock.yml | 4 +- .github/workflows/sergo.lock.yml | 4 +- .../workflows/slide-deck-maintainer.lock.yml | 4 +- .../workflows/smoke-agent-all-merged.lock.yml | 4 +- .../workflows/smoke-agent-all-none.lock.yml | 4 +- .../smoke-agent-public-approved.lock.yml | 4 +- .../smoke-agent-public-none.lock.yml | 4 +- .../smoke-agent-scoped-approved.lock.yml | 4 +- .../workflows/smoke-call-workflow.lock.yml | 4 +- .github/workflows/smoke-claude.lock.yml | 24 +++- .github/workflows/smoke-codex.lock.yml | 4 +- .github/workflows/smoke-copilot-arm.lock.yml | 4 +- .github/workflows/smoke-copilot.lock.yml | 4 +- .../smoke-create-cross-repo-pr.lock.yml | 4 +- .github/workflows/smoke-gemini.lock.yml | 4 +- .github/workflows/smoke-multi-pr.lock.yml | 4 +- .github/workflows/smoke-project.lock.yml | 4 +- .github/workflows/smoke-temporary-id.lock.yml | 4 +- .github/workflows/smoke-test-tools.lock.yml | 4 +- .../smoke-update-cross-repo-pr.lock.yml | 4 +- .../smoke-workflow-call-with-inputs.lock.yml | 4 +- .../workflows/smoke-workflow-call.lock.yml | 4 +- .../workflows/stale-repo-identifier.lock.yml | 4 +- .../workflows/static-analysis-report.lock.yml | 4 +- .../workflows/step-name-alignment.lock.yml | 4 +- .github/workflows/sub-issue-closer.lock.yml | 4 +- .github/workflows/super-linter.lock.yml | 4 +- .../workflows/technical-doc-writer.lock.yml | 4 +- .github/workflows/terminal-stylist.lock.yml | 4 +- .../test-create-pr-error-handling.lock.yml | 4 +- .github/workflows/test-dispatcher.lock.yml | 4 +- .../test-project-url-default.lock.yml | 4 +- .github/workflows/test-workflow.lock.yml | 4 +- .github/workflows/tidy.lock.yml | 4 +- .github/workflows/typist.lock.yml | 4 +- .../workflows/ubuntu-image-analyzer.lock.yml | 4 +- .github/workflows/unbloat-docs.lock.yml | 4 +- .github/workflows/video-analyzer.lock.yml | 4 +- .../weekly-editors-health-check.lock.yml | 4 +- .../workflows/weekly-issue-summary.lock.yml | 4 +- .../weekly-safe-outputs-spec-review.lock.yml | 4 +- .github/workflows/workflow-generator.lock.yml | 4 +- .../workflow-health-manager.lock.yml | 4 +- .../workflows/workflow-normalizer.lock.yml | 4 +- .../workflow-skill-extractor.lock.yml | 4 +- AGENTS.md | 13 ++ actions/setup/js/add_comment.cjs | 124 +++-------------- actions/setup/js/add_comment.test.cjs | 4 +- .../setup/js/safe_output_handler_manager.cjs | 41 +++++- actions/setup/js/safe_output_manifest.cjs | 54 +++++--- .../setup/js/safe_output_manifest.test.cjs | 91 ++++++++++--- .../setup/js/safe_outputs_mcp_server_http.cjs | 7 + actions/setup/sh/configure_gh_for_ghe.sh | 122 +++++++++++++++++ actions/setup/sh/configure_gh_for_ghe_test.sh | 105 +++++++++++++++ docs/src/content/docs/reference/tools.md | 32 +---- docs/src/content/docs/setup/cli.md | 24 ++++ pkg/cli/audit_report.go | 8 +- pkg/cli/audit_report_test.go | 23 +++- pkg/cli/copilot_setup.go | 36 ++++- pkg/cli/copilot_setup_test.go | 55 ++++++++ pkg/cli/git.go | 54 ++++++++ pkg/cli/git_test.go | 127 ++++++++++++++++++ pkg/cli/pr_command.go | 23 +++- pkg/constants/constants.go | 2 +- .../safe_outputs_config_generation.go | 21 +++ .../safe_outputs_config_generation_test.go | 75 +++++++++++ .../basic-copilot.golden | 4 +- .../smoke-copilot.golden | 4 +- .../with-imports.golden | 4 +- 202 files changed, 1324 insertions(+), 551 deletions(-) create mode 100644 .changeset/1773446645-configure-gh-for-ghe.md create mode 100644 .changeset/patch-disable-safe-outputs-http-timeouts.md create mode 100644 .changeset/patch-fix-ghes-pr-creation.md create mode 100644 .changeset/patch-update-mcpg-v0-1-15.md create mode 100755 actions/setup/sh/configure_gh_for_ghe.sh create mode 100755 actions/setup/sh/configure_gh_for_ghe_test.sh diff --git a/.changeset/1773446645-configure-gh-for-ghe.md b/.changeset/1773446645-configure-gh-for-ghe.md new file mode 100644 index 0000000000..4a8d69d301 --- /dev/null +++ b/.changeset/1773446645-configure-gh-for-ghe.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Add gh CLI configuration script for GitHub Enterprise support. Workflows can now source `configure_gh_for_ghe.sh` before running `gh` commands to automatically detect and configure the correct GitHub Enterprise host from environment variables (`GITHUB_SERVER_URL`, `GITHUB_ENTERPRISE_HOST`, `GITHUB_HOST`, or `GH_HOST`). This fixes the "none of the git remotes configured for this repository point to a known GitHub host" error when running workflows like repo-assist on GHE domains. diff --git a/.changeset/patch-disable-safe-outputs-http-timeouts.md b/.changeset/patch-disable-safe-outputs-http-timeouts.md new file mode 100644 index 0000000000..6c1ed8bf27 --- /dev/null +++ b/.changeset/patch-disable-safe-outputs-http-timeouts.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Disable HTTP server timeouts in the safe-outputs MCP server to prevent idle localhost connections from being dropped during long agent runs. diff --git a/.changeset/patch-fix-ghes-pr-creation.md b/.changeset/patch-fix-ghes-pr-creation.md new file mode 100644 index 0000000000..76d787a791 --- /dev/null +++ b/.changeset/patch-fix-ghes-pr-creation.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Fix `add-wizard` and `add --create-pull-request` failing to create pull requests in GitHub Enterprise Server repositories. The PR creation commands now detect the GitHub host from the git `origin` remote URL and pass `--hostname` to `gh pr create`, ensuring GHES repositories are targeted correctly instead of always defaulting to github.com. diff --git a/.changeset/patch-update-mcpg-v0-1-15.md b/.changeset/patch-update-mcpg-v0-1-15.md new file mode 100644 index 0000000000..5c86b06533 --- /dev/null +++ b/.changeset/patch-update-mcpg-v0-1-15.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Update gh-aw-mcpg to v0.1.15 and recompile workflows to reference the updated MCP gateway container image. diff --git a/.github/aw/github-agentic-workflows.md b/.github/aw/github-agentic-workflows.md index d3d9cecb01..2378097d04 100644 --- a/.github/aw/github-agentic-workflows.md +++ b/.github/aw/github-agentic-workflows.md @@ -101,9 +101,10 @@ The YAML frontmatter supports these fields: ```yaml skip-if-match: query: "is:issue is:open label:in-progress" - max: 3 # Skip if 3 or more matches (default: 1) + max: 3 # Skip if 3 or more matches (default: 1) + scope: none # Optional: disable automatic repo:owner/repo scoping for org-wide queries ``` - - Query is automatically scoped to the current repository + - Query is automatically scoped to the current repository (use `scope: none` for cross-repo queries) - Use to avoid duplicate work (e.g., skip if an open issue already exists) - **`skip-if-no-match:`** - Skip workflow execution when a GitHub search query returns no results (string or object) - String format: `skip-if-no-match: "is:pr is:open label:ready-to-deploy"` (implies min=1) @@ -111,10 +112,31 @@ The YAML frontmatter supports these fields: ```yaml skip-if-no-match: query: "is:pr is:open label:ready-to-deploy" - min: 2 # Require at least 2 matches to proceed (default: 1) + min: 2 # Require at least 2 matches to proceed (default: 1) + scope: none # Optional: disable automatic repo:owner/repo scoping for org-wide queries ``` - - Query is automatically scoped to the current repository + - Query is automatically scoped to the current repository (use `scope: none` for cross-repo queries) - Use to gate workflows on preconditions (e.g., only run if open PRs exist) + - **`github-token:`** - Custom GitHub token for pre-activation reactions, status comments, and skip-if search queries (string) + - When specified, overrides the default `GITHUB_TOKEN` for these operations + - Example: `github-token: ${{ secrets.MY_GITHUB_TOKEN }}` + - **`github-app:`** - GitHub App credentials for minting a token used in pre-activation operations (object) + - Mints a single installation access token shared across reactions, status comments, and skip-if queries + - Can be defined in a shared agentic workflow and inherited by importing workflows + - Fields: + - `app-id:` - GitHub App ID (required, e.g., `${{ vars.APP_ID }}`) + - `private-key:` - GitHub App private key (required, e.g., `${{ secrets.APP_PRIVATE_KEY }}`) + - `owner:` - Optional installation owner (defaults to current repository owner) + - `repositories:` - Optional list of repositories to grant access to + - Example: + ```yaml + on: + issues: + types: [opened] + github-app: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + ``` - **`permissions:`** - GitHub token permissions - Object with permission levels: `read`, `write`, `none` @@ -262,8 +284,12 @@ The YAML frontmatter supports these fields: if: "hashFiles('go.mod') != ''" # Only install Go when go.mod exists ``` -- **`checkout:`** - Override how the repository is checked out in the agent job (object or array) +- **`checkout:`** - Override how the repository is checked out in the agent job (object, array, or `false`) - By default, the workflow automatically checks out the repository. Use this field to customize checkout behavior. + - Set to `false` to disable automatic checkout entirely (reduces startup time when repo access is not needed): + ```yaml + checkout: false + ``` - Single checkout (object): ```yaml checkout: @@ -523,6 +549,7 @@ The YAML frontmatter supports these fields: expires: 7 # Optional: auto-close after 7 days (supports: 2h, 7d, 2w, 1m, 1y; min: 2h) auto-merge: false # Optional: enable auto-merge when checks pass (default: false) base-branch: "vnext" # Optional: base branch for PR (defaults to workflow's branch) + preserve-branch-name: true # Optional: skip random salt suffix on agent-specified branch names (default: false) fallback-as-issue: false # Optional: when true (default), creates a fallback issue on PR creation failure; on permission errors, the issue includes a one-click link to create the PR via GitHub's compare URL target-repo: "owner/repo" # Optional: cross-repository github-token-for-extra-empty-commit: ${{ secrets.MY_CI_PAT }} # Optional: PAT or "app" to trigger CI on created PRs @@ -530,6 +557,8 @@ The YAML frontmatter supports these fields: **Auto-Expiration**: The `expires` field auto-closes PRs after a time period. Supports integers (days) or relative formats (2h, 7d, 2w, 1m, 1y). Minimum duration: 2 hours. Only for same-repo PRs without target-repo. Generates `agentics-maintenance.yml` workflow. + **Branch Name Preservation**: Set `preserve-branch-name: true` to skip the random salt suffix on agent-specified branch names. Useful when CI enforces branch naming conventions (e.g., Jira keys in uppercase). Invalid characters are still replaced for security; casing is always preserved. + **CI Triggering**: By default, PRs created with `GITHUB_TOKEN` do not trigger CI workflow runs. To trigger CI, set `github-token-for-extra-empty-commit` to a PAT with `Contents: Read & Write` permission, or to `"app"` to use the configured GitHub App. Alternatively, set the magic secret `GH_AW_CI_TRIGGER_TOKEN` to a suitable PAT — this is automatically used without requiring explicit configuration in the workflow. When using `output.create-pull-request`, the main job does **not** need `contents: write` or `pull-requests: write` permissions since PR creation is handled by a separate job with appropriate permissions. @@ -849,6 +878,17 @@ The YAML frontmatter supports these fields: max: 3 # Optional: max dispatches (default: 1, max: 3) ``` Triggers other agentic workflows in the same repository using workflow_dispatch. Agent output includes `workflow_name` (without .md extension) and optional `inputs` (key-value pairs). Not supported for cross-repository operations. + - `call-workflow:` - Call reusable workflows via workflow_call fan-out (orchestrator pattern) + ```yaml + safe-outputs: + call-workflow: + workflows: [worker-a, worker-b] # Required: workflow names (without .md) with workflow_call trigger + max: 1 # Optional: max calls per run (default: 1, max: 50) + github-token: ${{ secrets.TOKEN }} # Optional: token passed to called workflows + ``` + Array shorthand: `call-workflow: [worker-a, worker-b]` + + Unlike `dispatch-workflow` (which uses the GitHub Actions API at runtime), `call-workflow` generates static conditional `uses:` jobs at compile time. The agent selects which worker to activate; the compiler validates and wires up all fan-out jobs. Each listed workflow must exist in `.github/workflows/` and declare a `workflow_call` trigger. Use this for orchestrator/dispatcher patterns within the same repository. - `create-code-scanning-alert:` - Generate SARIF security advisories ```yaml safe-outputs: diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 5fad5489b1..1ceba11584 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -327,7 +327,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -349,7 +349,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 4bb2c68bac..66391f1894 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -385,7 +385,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -853,7 +853,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 3e8b336018..037eb82fe4 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -383,7 +383,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -699,7 +699,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 8e182db7dc..c519f5fdab 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -387,7 +387,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -726,7 +726,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index a7f25e3d70..fb0d9a4474 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -392,7 +392,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -678,7 +678,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index a0a8c937c2..73d00a7cfc 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -329,7 +329,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -620,7 +620,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 0b934269a9..67b1c1936c 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -442,7 +442,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -810,7 +810,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index b3879ea19a..1597c86b1b 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -342,7 +342,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -681,7 +681,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index d1392551f0..8a817ff053 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -341,7 +341,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -633,7 +633,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index f4fec8a658..ae6b18bed0 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -343,7 +343,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -782,7 +782,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 8dc2da31d4..41a749ed54 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -376,7 +376,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -663,7 +663,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e BRAVE_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e BRAVE_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index d8b89145e0..de9bc2fc2b 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -335,7 +335,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -648,7 +648,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 06c7c651b4..11c7d9cc4e 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -397,7 +397,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -764,7 +764,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index 115bebb51b..2a701274ac 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -327,7 +327,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/chroma + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/chroma - name: Start MCP Gateway id: start-mcp-gateway env: @@ -349,7 +349,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 72dc253940..51068f5e7e 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -401,7 +401,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -717,7 +717,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 0211714d1d..b1a8f525cb 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -389,7 +389,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -883,7 +883,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 83b463bd76..187c51f56d 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -356,7 +356,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -647,7 +647,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 57f5758596..31e6a99ab9 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -320,7 +320,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -633,7 +633,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 2a1decb014..9fe24e6602 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -360,7 +360,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -673,7 +673,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 6b165272eb..56f0ed0163 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -496,7 +496,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -893,7 +893,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 48cf5802ff..27cd89005b 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -361,7 +361,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -740,7 +740,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 5bd8f7b651..fa474c6d02 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -344,7 +344,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -660,7 +660,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 34f706ac74..579af79966 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -305,7 +305,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -327,7 +327,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index a79f9c5442..d589b17807 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -340,7 +340,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -631,7 +631,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 4371d8ad98..c03a8e3b44 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -323,7 +323,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -614,7 +614,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index c985475927..e654b4f263 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -320,7 +320,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -735,7 +735,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index d34f2c120f..02cdbef99b 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -397,7 +397,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -703,7 +703,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 60549dd631..424516d36f 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -354,7 +354,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -660,7 +660,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index aee6ffd097..baa16ac321 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -368,7 +368,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -764,7 +764,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 5a31c943a4..fa551f9c75 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -423,7 +423,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -766,7 +766,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 495bdc0de4..11a029d7c1 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -389,7 +389,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -695,7 +695,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 69867f809d..ed2a5d1e50 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -434,7 +434,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -777,7 +777,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index dbf4ea152f..b287d02639 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -374,7 +374,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -716,7 +716,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 3ecae57956..1d5c7a3e45 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -345,7 +345,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -743,7 +743,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 11613f3f5a..a831527a6e 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -317,7 +317,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -664,7 +664,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 0ecb401b13..8f2a3a10db 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -326,7 +326,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -588,7 +588,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 32b0336ae2..8a1419523e 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -359,7 +359,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -869,7 +869,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 63d8ff5b86..18be4ac043 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -363,7 +363,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -701,7 +701,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 520d021030..dcbb6802c7 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -408,7 +408,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -751,7 +751,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 8b3696fc21..422b36f2f3 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -348,7 +348,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -639,7 +639,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 2a0ab7f6e5..c84303da10 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -431,7 +431,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -774,7 +774,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 79f1a83ec0..8ac8c54249 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -376,7 +376,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -876,7 +876,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index aefc237dd0..21aa7e6355 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -372,7 +372,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -790,7 +790,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 422bc078c9..2462263f94 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -307,7 +307,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -593,7 +593,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 10cca95ed0..45a9866450 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -343,7 +343,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -656,7 +656,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 3f1e73d521..a677a559c1 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -409,7 +409,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -762,7 +762,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index b3f5f8ba0c..2fb9e6f954 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -358,7 +358,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -671,7 +671,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 966a23bf77..2a374796bb 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -401,7 +401,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -797,7 +797,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 25e8a889b9..c447ce1681 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -324,7 +324,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -656,7 +656,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 3a14e42eab..ed186eb2b5 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -347,7 +347,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -700,7 +700,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 811a03555a..47e8a83ed5 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -354,7 +354,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -705,7 +705,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 014257745c..84f2f7ad0f 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -476,7 +476,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -820,7 +820,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 384ed76638..81dd5d0f58 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -373,7 +373,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -758,7 +758,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index cace521060..e812afd98c 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -384,7 +384,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -1240,7 +1240,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index fc9e751a23..268f0b6548 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -338,7 +338,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -1157,7 +1157,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 9defc46f92..bf3e485233 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -396,7 +396,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -737,7 +737,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 61b54eeb0c..9b3f7babb5 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -376,7 +376,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -704,7 +704,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 094e6b8999..04d2f7f00e 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -403,7 +403,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -741,7 +741,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index a062866373..fffdd8be1b 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -335,7 +335,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -648,7 +648,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index ff2fff5a7a..b4d8bd93db 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -328,7 +328,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -688,7 +688,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 4f56aa73f6..3954a40e35 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -339,7 +339,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -652,7 +652,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 4c06df8927..d4963acbe1 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -331,7 +331,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine semgrep/semgrep:latest + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine semgrep/semgrep:latest - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -663,7 +663,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 15f9901d9a..aed31a327c 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -330,7 +330,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -642,7 +642,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index fe15f18f47..0070e59693 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -338,7 +338,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -629,7 +629,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 8661092703..32c18b332b 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -341,7 +341,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -654,7 +654,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 908d92abcc..b342f30e60 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -368,7 +368,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -696,7 +696,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index c935058fe2..73ae4d7dc9 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -321,7 +321,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -637,7 +637,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 5fc6cbbfe8..e4324006d7 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -367,7 +367,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -683,7 +683,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 8e7537c639..979141e461 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -426,7 +426,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -876,7 +876,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 60b15f22d0..e0ef84b999 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -359,7 +359,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -747,7 +747,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 8c518b3ff7..ea3043315c 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -333,7 +333,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -646,7 +646,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 25bf7203be..176ea9904b 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -332,7 +332,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -695,7 +695,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 72e5648294..6170e59805 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -385,7 +385,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -696,7 +696,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 4ed091329c..95a51f3152 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -317,7 +317,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -630,7 +630,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 73e5cff15c..d1dc64d115 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -405,7 +405,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -898,7 +898,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 34d02e170f..128adce9c8 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -348,7 +348,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -766,7 +766,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 0702f75ad4..b6233f8c0c 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -350,7 +350,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -732,7 +732,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 1693478c2b..018c302378 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -334,7 +334,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -663,7 +663,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 2b7cb00bab..6e8cecdcfd 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -319,14 +319,14 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' - {"add_comment":{"max":20},"add_labels":{"max":20},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"add_comment":{"max":20},"add_labels":{"max":20},"close_pull_request":{"max":10,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | @@ -564,6 +564,24 @@ jobs: } } }, + "close_pull_request": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "pull_request_number": { + "optionalPositiveInteger": true + }, + "repo": { + "type": "string", + "maxLength": 256 + } + } + }, "missing_data": { "defaultMax": 20, "fields": { @@ -685,7 +703,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index ec47acb146..e305bca2d0 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -346,7 +346,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -659,7 +659,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index f2e5b8784d..4a7e8eb2a5 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -300,7 +300,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -322,7 +322,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 666527192f..7d78980531 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -365,7 +365,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -681,7 +681,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index f6a934d116..3f4742d282 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -384,7 +384,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -690,7 +690,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 060ff4e85d..d3d1e3b1e0 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -302,7 +302,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -324,7 +324,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 2455f266f6..21c06b1d67 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -334,7 +334,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -650,7 +650,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 6b1e145b22..d2efc766dd 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -384,7 +384,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -712,7 +712,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index d98bb1d02e..3012158c1d 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -358,7 +358,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -734,7 +734,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index dac1ea0b46..ea694b5fb1 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -329,7 +329,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -621,7 +621,7 @@ jobs: export GH_AW_ENGINE="copilot" export GITHUB_PERSONAL_ACCESS_TOKEN="$GITHUB_MCP_SERVER_TOKEN" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_PERSONAL_ACCESS_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_PERSONAL_ACCESS_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 9bf4b36867..65609a0bd2 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -414,7 +414,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -847,7 +847,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 28e59b8900..66d81b507c 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -358,7 +358,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -649,7 +649,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 57ade40f00..e1c4ce711a 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -370,7 +370,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -813,7 +813,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 4e7d1ecfd8..c011265f89 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -346,7 +346,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/ast-grep:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/ast-grep:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -659,7 +659,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 8f1c0eaf7d..8e186bab9e 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -354,7 +354,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -667,7 +667,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 4eb376cc7d..11563b5826 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -384,7 +384,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -750,7 +750,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 862ba8a577..2fcadf43ff 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -384,7 +384,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -700,7 +700,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index a0bc58cfa5..ff27dcdf3f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -347,7 +347,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -663,7 +663,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 42a986142c..491e3f1408 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -340,7 +340,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -766,7 +766,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index c888d60e74..c5c793f5c3 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -348,7 +348,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -698,7 +698,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index a35af45335..48adbd5f8a 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -306,7 +306,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -639,7 +639,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 9a8f4462e0..156fa1bcb9 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -355,7 +355,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -671,7 +671,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index be449f0d70..e1f9f2f613 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -334,7 +334,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -650,7 +650,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 10a3db4fbf..5234638fc0 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -352,7 +352,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -643,7 +643,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index a44f155ad8..5780d0f236 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -449,7 +449,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -812,7 +812,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID -e BRAVE_API_KEY -e CONTEXT7_API_KEY -e DD_API_KEY -e DD_APPLICATION_KEY -e DD_SITE -e NOTION_API_TOKEN -e SENTRY_ACCESS_TOKEN -e SENTRY_HOST -e SENTRY_OPENAI_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID -e BRAVE_API_KEY -e CONTEXT7_API_KEY -e DD_API_KEY -e DD_APPLICATION_KEY -e DD_SITE -e NOTION_API_TOKEN -e SENTRY_ACCESS_TOKEN -e SENTRY_HOST -e SENTRY_OPENAI_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 971205293c..3da6aaee7d 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -373,7 +373,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -660,7 +660,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 15561147ce..9c2b6c4802 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -366,7 +366,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -413,7 +413,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index bda1e82b9e..0ac314b641 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -332,7 +332,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/notion node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/notion node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -581,7 +581,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e NOTION_API_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e NOTION_API_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 10c7863542..746c10072d 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -377,7 +377,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -704,7 +704,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 802dc0e1fe..5964ed53f4 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -426,7 +426,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/markitdown node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -772,7 +772,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 9ad5d5b56d..7a20fff017 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -367,7 +367,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -748,7 +748,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index beb7a4803f..e3a0c9e447 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -415,14 +415,14 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' - {"add_comment":{"max":3,"target":"*"},"add_labels":{"allowed":["poetry","creative","automation","ai-generated","epic","haiku","sonnet","limerick"],"max":5},"create_agent_session":{"max":1},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":2},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[🎨 POETRY] "},"create_pull_request_review_comment":{"max":2},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1},"update_issue":{"max":2},"upload_asset":{"max":0}} + {"add_comment":{"max":3,"target":"*"},"add_labels":{"allowed":["poetry","creative","automation","ai-generated","epic","haiku","sonnet","limerick"],"max":5},"close_pull_request":{"max":2,"required_labels":["poetry","automation"],"required_title_prefix":"[🎨 POETRY]","target":"*"},"create_agent_session":{"max":1},"create_discussion":{"expires":24,"max":2},"create_issue":{"expires":48,"group":true,"max":2},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{"expires":48,"max":1,"reviewers":["copilot"],"title_prefix":"[🎨 POETRY] "},"create_pull_request_review_comment":{"max":2},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1},"update_issue":{"max":2},"upload_asset":{"max":0}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | @@ -1039,6 +1039,24 @@ jobs: } } }, + "close_pull_request": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "pull_request_number": { + "optionalPositiveInteger": true + }, + "repo": { + "type": "string", + "maxLength": 256 + } + } + }, "create_agent_session": { "defaultMax": 1, "fields": { @@ -1408,7 +1426,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 39bbd6e7f7..809fd4d17c 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -420,7 +420,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -773,7 +773,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 5945d61a84..34b1b81146 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -424,7 +424,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -851,7 +851,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 8f5b7877e5..78eb0a7812 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -341,7 +341,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -771,7 +771,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 8399a2187b..59aa0282be 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -447,7 +447,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -763,7 +763,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 0ed357bdb3..932c71e616 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -408,7 +408,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -761,7 +761,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 8af1ab44cc..88d24eec2b 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -473,7 +473,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -869,7 +869,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 2149c26703..7b3bdb42b2 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -350,7 +350,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -720,7 +720,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index db5a941a48..a9cc661e2a 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -347,7 +347,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -643,7 +643,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 8d90d1e403..81633b3a41 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -354,7 +354,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -645,7 +645,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index e9ce532722..2e518f8acd 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -330,7 +330,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -621,7 +621,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 974071d33a..be1708efac 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -353,7 +353,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -644,7 +644,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 26d704aaee..a5b4cba522 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -340,7 +340,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -632,7 +632,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 8c15dec620..1998634e8d 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -394,7 +394,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -710,7 +710,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index e94346cd1b..d5626fe8e9 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -352,7 +352,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -643,7 +643,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index e7c42b0c32..28dd980fc5 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -477,7 +477,7 @@ jobs: - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@latest - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -811,7 +811,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 554ad4928d..2e72f960ff 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -362,7 +362,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -1023,7 +1023,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 81951290f7..c5f007e70b 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -378,7 +378,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -706,7 +706,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index c9956c3bb4..4f3804bf55 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -425,7 +425,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -817,7 +817,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index a8ed626a16..339c5e0838 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -340,7 +340,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -703,7 +703,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 92cfd133d7..34765da85b 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -358,7 +358,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -649,7 +649,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 841c23a194..0035a6f704 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -382,7 +382,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -699,7 +699,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index eff8ef5b08..d7052e9f6e 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -365,7 +365,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -651,7 +651,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 2614795b34..e246ba65c8 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -365,7 +365,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -651,7 +651,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 29f09e580c..da9b913184 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -365,7 +365,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -716,7 +716,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 82a38e0be3..4c7e8bfc8d 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -365,7 +365,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -651,7 +651,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index e8ebe9ba42..1086f44bbc 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -365,7 +365,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -651,7 +651,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 44ca4694d4..14beec0fa3 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -349,7 +349,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -672,7 +672,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index d5db03bd64..d73098f1d9 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -817,7 +817,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -848,7 +848,7 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > ${GH_AW_HOME}/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' - {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-claude"],"max":3},"add_reviewer":{"max":2},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1,"target":"*"},"resolve_pull_request_review_thread":{"max":5},"submit_pull_request_review":{"max":1},"update_pull_request":{"max":1}} + {"add_comment":{"max":2},"add_labels":{"allowed":["smoke-claude"],"max":3},"add_reviewer":{"max":2},"close_pull_request":{"max":1,"staged":true},"create_issue":{"expires":2,"group":true,"max":1},"create_pull_request_review_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":1,"target":"*"},"resolve_pull_request_review_thread":{"max":5},"submit_pull_request_review":{"max":1},"update_pull_request":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | @@ -1380,6 +1380,24 @@ jobs: } } }, + "close_pull_request": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "pull_request_number": { + "optionalPositiveInteger": true + }, + "repo": { + "type": "string", + "maxLength": 256 + } + } + }, "create_issue": { "defaultMax": 1, "fields": { @@ -2211,7 +2229,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 07a7d34d97..190bf6eb21 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -422,7 +422,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/fetch mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcp/fetch mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -1118,7 +1118,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_EOF [history] diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index d9a68b6c3e..b2060c1b93 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -451,7 +451,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1681,7 +1681,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index a9a1106827..cb0667f860 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -454,7 +454,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1796,7 +1796,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 8fc75702bb..5dbe1d96f6 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -375,7 +375,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -828,7 +828,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 3d96417971..30c2f9e992 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -408,7 +408,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcp/fetch node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcp/fetch node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -929,7 +929,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="gemini" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index ae2558a9d5..4c1910a622 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -377,7 +377,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -748,7 +748,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 8cab1396ef..fa7e93e483 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -376,7 +376,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -1206,7 +1206,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 3dd56cd72a..2f2cf1f565 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -372,7 +372,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -794,7 +794,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 5c6533ae8e..f3af336cd3 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -386,7 +386,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -672,7 +672,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index a2a930de4e..919bf6b99f 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -399,7 +399,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -823,7 +823,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 1bb5682f4a..c409b1a885 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -377,7 +377,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -690,7 +690,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 32c6391708..b940bc3297 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -357,7 +357,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -643,7 +643,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 32aca42fcc..afb04a23db 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -428,7 +428,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -777,7 +777,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 33217a2f18..73d4085c15 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -390,7 +390,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -706,7 +706,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 7caa0a60e1..e6f7e5d5a9 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -344,7 +344,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -657,7 +657,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 604e466304..ac13c71fc2 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -323,7 +323,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -735,7 +735,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 7d452057aa..f303c99262 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -362,7 +362,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -675,7 +675,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index b7fcc9605b..e5c01eed14 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -426,7 +426,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -951,7 +951,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 94d6bbc893..c3e3bc4b4f 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -334,7 +334,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -625,7 +625,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index b409887ba1..561f2ffd89 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -342,7 +342,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -658,7 +658,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index e18ff14728..48585981f5 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -316,7 +316,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -565,7 +565,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 127db8c7f0..ebef13bb7f 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -315,7 +315,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -824,7 +824,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index a9b46c1914..0c81390260 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -302,7 +302,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -324,7 +324,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 50077b57ca..31b72de95f 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -395,7 +395,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -767,7 +767,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index db61bc4beb..97b68b7f0e 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -339,7 +339,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -630,7 +630,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 5e5e3f64b4..e003966d59 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -340,7 +340,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -656,7 +656,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index f8c204931d..df130cace0 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -434,7 +434,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -945,7 +945,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh { diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 498a0ef588..2d8a0bd7b0 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -344,7 +344,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -657,7 +657,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 2dc8118aaa..dc56d0de5f 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -330,7 +330,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -684,7 +684,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 71d5b4f3c3..48962cac4e 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -357,7 +357,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -684,7 +684,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 6db7222251..606aafee39 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -318,7 +318,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -633,7 +633,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index e319cbf973..83b67626da 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -357,7 +357,7 @@ jobs: - name: Install AWF binary run: bash ${GH_AW_HOME}/actions/install_awf_binary.sh v0.24.1 - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -778,7 +778,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 0d4cb917cf..a5ec353281 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -359,7 +359,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -868,7 +868,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index e5e40ccddd..8ed4ec3321 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -362,7 +362,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -700,7 +700,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index a18f95320d..ec37f2dec6 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -331,7 +331,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p ${GH_AW_HOME}/safeoutputs @@ -704,7 +704,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/AGENTS.md b/AGENTS.md index 69cb7b0d95..9b04275a5b 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -30,6 +30,14 @@ Each skill provides focused guidance on specific topics. Reference them only as ## Critical Requirements +### ⚠️ MANDATORY: Always Create a Pull Request ⚠️ + +**🚨 IF YOU ARE THE GITHUB COPILOT CODING AGENT AND YOU HAVE FILE CHANGES, YOU MUST ALWAYS CREATE A PULL REQUEST - NO EXCEPTIONS.** + +Use the **report_progress** tool to commit and push your changes. This will automatically create or update the pull request. + +**Never leave file changes uncommitted.** Even for small or "obvious" changes, always use **report_progress** to push your work to a PR so it can be reviewed. + ### ⚠️ MANDATORY PRE-COMMIT VALIDATION ⚠️ **🚨 BEFORE EVERY COMMIT - NO EXCEPTIONS:** @@ -1135,6 +1143,11 @@ make minor-release # Automated via GitHub Actions ## Quick Reference for AI Agents +### 🚨 CRITICAL - Always Create a Pull Request +**If you are the GitHub Copilot coding agent and you have file changes, you MUST always create a pull request.** + +Use **report_progress** to commit, push, and update the PR. Never leave changes uncommitted. + ### 🚨 CRITICAL - Pre-Commit Checklist Before EVERY commit: 1. ✅ Run `make agent-finish` (or at minimum `make fmt`) diff --git a/actions/setup/js/add_comment.cjs b/actions/setup/js/add_comment.cjs index 9d6acfce49..bc9c59e2a4 100644 --- a/actions/setup/js/add_comment.cjs +++ b/actions/setup/js/add_comment.cjs @@ -217,7 +217,7 @@ async function hideOlderComments(github, owner, repo, itemNumber, workflowId, is const nodeId = isDiscussion ? String(comment.id) : comment.node_id; core.info(`Hiding comment: ${nodeId}`); - const result = await minimizeComment(github, nodeId, normalizedReason); + await minimizeComment(github, nodeId, normalizedReason); hiddenCount++; core.info(`✓ Hidden comment: ${nodeId}`); } @@ -357,8 +357,6 @@ async function main(config = {}) { processedCount++; - const item = message; - // Merge resolved temp IDs if (resolvedTemporaryIds) { for (const [tempId, resolved] of Object.entries(resolvedTemporaryIds)) { @@ -369,7 +367,7 @@ async function main(config = {}) { } // Resolve and validate target repository - const repoResult = resolveAndValidateRepo(item, defaultTargetRepo, allowedRepos, "comment"); + const repoResult = resolveAndValidateRepo(message, defaultTargetRepo, allowedRepos, "comment"); if (!repoResult.success) { core.warning(`Skipping comment: ${repoResult.error}`); return { @@ -385,26 +383,26 @@ async function main(config = {}) { let isDiscussion = false; // Check if item_number was explicitly provided in the message - if (item.item_number !== undefined && item.item_number !== null) { + if (message.item_number !== undefined && message.item_number !== null) { // Resolve temporary IDs if present - const resolvedTarget = resolveRepoIssueTarget(item.item_number, temporaryIdMap, repoParts.owner, repoParts.repo); + const resolvedTarget = resolveRepoIssueTarget(message.item_number, temporaryIdMap, repoParts.owner, repoParts.repo); // Check if this is an unresolved temporary ID if (resolvedTarget.wasTemporaryId && !resolvedTarget.resolved) { - core.info(`Deferring add_comment: unresolved temporary ID (${item.item_number})`); + core.info(`Deferring add_comment: unresolved temporary ID (${message.item_number})`); return { success: false, deferred: true, - error: resolvedTarget.errorMessage || `Unresolved temporary ID: ${item.item_number}`, + error: resolvedTarget.errorMessage || `Unresolved temporary ID: ${message.item_number}`, }; } // Check for other resolution errors (including null resolved) if (resolvedTarget.errorMessage || !resolvedTarget.resolved) { - core.warning(`Invalid item_number specified: ${item.item_number}`); + core.warning(`Invalid item_number specified: ${message.item_number}`); return { success: false, - error: `Invalid item_number specified: ${item.item_number}`, + error: `Invalid item_number specified: ${message.item_number}`, }; } @@ -433,7 +431,7 @@ async function main(config = {}) { // For issues/PRs, use the resolveTarget helper which respects target configuration const targetResult = resolveTarget({ targetConfig: commentTarget, - item: item, + item: message, context: context, itemType: "add_comment", supportsPR: true, // add_comment supports both issues and PRs @@ -460,7 +458,7 @@ async function main(config = {}) { // author so the second sanitization pass does not accidentally strip them. const parentAuthors = []; if (!isDiscussion) { - if (item.item_number !== undefined && item.item_number !== null) { + if (message.item_number !== undefined && message.item_number !== null) { // Explicit item_number: fetch the issue/PR to get its author try { const { data: issueData } = await githubClient.rest.issues.get({ @@ -494,7 +492,7 @@ async function main(config = {}) { } // Replace temporary ID references in body - let processedBody = replaceTemporaryIdReferences(item.body || "", temporaryIdMap, itemRepo); + let processedBody = replaceTemporaryIdReferences(message.body || "", temporaryIdMap, itemRepo); // Sanitize content to prevent injection attacks, allowing parent issue/PR/discussion authors // so they can be @mentioned in the generated comment. @@ -583,6 +581,12 @@ async function main(config = {}) { }; } + // Records a created comment in createdComments and returns the success result. + const recordComment = (/** @type {{ id: string | number, html_url: string }} */ comment, /** @type {boolean} */ isDiscussionFlag) => { + createdComments.push({ id: comment.id, html_url: comment.html_url, _tracking: { commentId: comment.id, itemNumber, repo: itemRepo, isDiscussion: isDiscussionFlag } }); + return { success: true, commentId: comment.id, url: comment.html_url, itemNumber, repo: itemRepo, isDiscussion: isDiscussionFlag }; + }; + try { // Hide older comments if enabled AND append-only-comments is not enabled // When append-only-comments is true, we want to keep all comments visible @@ -595,27 +599,6 @@ async function main(config = {}) { /** @type {{ id: string | number, html_url: string }} */ let comment; if (isDiscussion) { - // Use GraphQL for discussions - const discussionQuery = ` - query($owner: String!, $repo: String!, $number: Int!) { - repository(owner: $owner, name: $repo) { - discussion(number: $number) { - id - } - } - } - `; - const queryResult = await githubClient.graphql(discussionQuery, { - owner: repoParts.owner, - repo: repoParts.repo, - number: itemNumber, - }); - - const discussionId = queryResult?.repository?.discussion?.id; - if (!discussionId) { - throw new Error(`${ERR_NOT_FOUND}: Discussion #${itemNumber} not found in ${itemRepo}`); - } - comment = await commentOnDiscussion(githubClient, repoParts.owner, repoParts.repo, itemNumber, processedBody, null); } else { // Use REST API for issues/PRs @@ -629,29 +612,7 @@ async function main(config = {}) { } core.info(`Created comment: ${comment.html_url}`); - - // Add tracking metadata - const commentResult = { - id: comment.id, - html_url: comment.html_url, - _tracking: { - commentId: comment.id, - itemNumber: itemNumber, - repo: itemRepo, - isDiscussion: isDiscussion, - }, - }; - - createdComments.push(commentResult); - - return { - success: true, - commentId: comment.id, - url: comment.html_url, - itemNumber: itemNumber, - repo: itemRepo, - isDiscussion: isDiscussion, - }; + return recordComment(comment, isDiscussion); } catch (error) { const errorMessage = getErrorMessage(error); @@ -661,58 +622,15 @@ async function main(config = {}) { // If 404 and item_number was explicitly provided and we tried as issue/PR, // retry as a discussion (the user may have provided a discussion number) - if (is404 && !isDiscussion && item.item_number !== undefined && item.item_number !== null) { + if (is404 && !isDiscussion && message.item_number !== undefined && message.item_number !== null) { core.info(`Item #${itemNumber} not found as issue/PR, retrying as discussion...`); try { - // Try to find and comment on the discussion - const discussionQuery = ` - query($owner: String!, $repo: String!, $number: Int!) { - repository(owner: $owner, name: $repo) { - discussion(number: $number) { - id - } - } - } - `; - const queryResult = await githubClient.graphql(discussionQuery, { - owner: repoParts.owner, - repo: repoParts.repo, - number: itemNumber, - }); - - const discussionId = queryResult?.repository?.discussion?.id; - if (!discussionId) { - throw new Error(`${ERR_NOT_FOUND}: Discussion #${itemNumber} not found in ${itemRepo}`); - } - - core.info(`Found discussion #${itemNumber}, adding comment...`); + core.info(`Trying #${itemNumber} as discussion...`); const comment = await commentOnDiscussion(githubClient, repoParts.owner, repoParts.repo, itemNumber, processedBody, null); core.info(`Created comment on discussion: ${comment.html_url}`); - - // Add tracking metadata - const commentResult = { - id: comment.id, - html_url: comment.html_url, - _tracking: { - commentId: comment.id, - itemNumber: itemNumber, - repo: itemRepo, - isDiscussion: true, - }, - }; - - createdComments.push(commentResult); - - return { - success: true, - commentId: comment.id, - url: comment.html_url, - itemNumber: itemNumber, - repo: itemRepo, - isDiscussion: true, - }; + return recordComment(comment, true); } catch (discussionError) { const discussionErrorMessage = getErrorMessage(discussionError); // @ts-expect-error - Error handling with optional chaining diff --git a/actions/setup/js/add_comment.test.cjs b/actions/setup/js/add_comment.test.cjs index e2304ce393..54061e4a3c 100644 --- a/actions/setup/js/add_comment.test.cjs +++ b/actions/setup/js/add_comment.test.cjs @@ -879,8 +879,8 @@ describe("add_comment", () => { const retryLog = infoCalls.find(msg => msg.includes("retrying as discussion")); expect(retryLog).toBeTruthy(); - const foundLog = infoCalls.find(msg => msg.includes("Found discussion")); - expect(foundLog).toBeTruthy(); + const createdLog = infoCalls.find(msg => msg.includes("Created comment on discussion")); + expect(createdLog).toBeTruthy(); }); it("should return skipped when item_number not found as issue/PR or discussion", async () => { diff --git a/actions/setup/js/safe_output_handler_manager.cjs b/actions/setup/js/safe_output_handler_manager.cjs index 7cfc8ca835..035c913500 100644 --- a/actions/setup/js/safe_output_handler_manager.cjs +++ b/actions/setup/js/safe_output_handler_manager.cjs @@ -209,6 +209,19 @@ function collectMissingMessages(messages) { return { missingTools, missingData, noopMessages }; } +/** + * Format a log message for a manifest entry. + * Prefers the URL when available, otherwise falls back to the item number. + * + * @param {{type: string, url?: string, number?: number}} item - Manifest item + * @returns {string} Formatted log message + */ +function formatManifestLogMessage(item) { + if (item.url) return `📝 Manifest: logged ${item.type} → ${item.url}`; + if (item.number != null) return `📝 Manifest: logged ${item.type} #${item.number}`; + return `📝 Manifest: logged ${item.type}`; +} + /** * Process all messages from agent output in the order they appear * Dispatches each message to the appropriate handler while maintaining shared state (temporary ID map) @@ -304,8 +317,28 @@ async function processMessages(messageHandlers, messages, onItemCreated = null) // Check if this message type is handled by a custom safe output job if (customJobTypes.has(messageType)) { - // Silently skip - this is handled by a custom safe output job step core.debug(`Message ${i + 1} (${messageType}) will be handled by custom safe output job`); + + // Log the dispatch to the manifest so the operation is counted in SafeItemsCount. + // The custom job does the actual work; here we record the intent from the message. + if (onItemCreated) { + // Prefer item_number (explicit target), fall back to issue_number then pull_request_number. + // This mirrors the precedence order used by individual safe output handlers. + const rawNumber = message.item_number ?? message.issue_number ?? message.pull_request_number; + const itemNumber = rawNumber != null ? parseInt(String(rawNumber), 10) : undefined; + const validNumber = itemNumber != null && !isNaN(itemNumber) ? itemNumber : undefined; + + const messageResult = { + ...(validNumber != null ? { number: validNumber } : {}), + ...(message.repo ? { repo: message.repo } : {}), + }; + const createdItem = extractCreatedItemFromResult(messageType, messageResult); + if (createdItem) { + core.info(formatManifestLogMessage(createdItem)); + onItemCreated(createdItem); + } + } + results.push({ type: messageType, messageIndex: i, @@ -457,14 +490,14 @@ async function processMessages(messageHandlers, messages, onItemCreated = null) for (const item of result) { const createdItem = extractCreatedItemFromResult(messageType, item); if (createdItem) { - core.info(`📝 Manifest: logged ${createdItem.type} → ${createdItem.url}`); + core.info(formatManifestLogMessage(createdItem)); onItemCreated(createdItem); } } } else { const createdItem = extractCreatedItemFromResult(messageType, result); if (createdItem) { - core.info(`📝 Manifest: logged ${createdItem.type} → ${createdItem.url}`); + core.info(formatManifestLogMessage(createdItem)); onItemCreated(createdItem); } } @@ -573,7 +606,7 @@ async function processMessages(messageHandlers, messages, onItemCreated = null) if (onItemCreated) { const createdItem = extractCreatedItemFromResult(deferred.type, result); if (createdItem) { - core.info(`📝 Manifest: logged ${createdItem.type} → ${createdItem.url}`); + core.info(formatManifestLogMessage(createdItem)); onItemCreated(createdItem); } } diff --git a/actions/setup/js/safe_output_manifest.cjs b/actions/setup/js/safe_output_manifest.cjs index 8cb1b316ea..53a71d2a71 100644 --- a/actions/setup/js/safe_output_manifest.cjs +++ b/actions/setup/js/safe_output_manifest.cjs @@ -11,8 +11,9 @@ const { ERR_SYSTEM } = require("./error_codes.cjs"); const MANIFEST_FILE_PATH = "/tmp/safe-output-items.jsonl"; /** - * Safe output types that create items in GitHub. - * These are the types that should be logged to the manifest. + * Safe output types that create new items in GitHub (these typically return a URL, + * but the URL may be omitted in some cases). + * Kept for backward compatibility. * @type {Set} */ const CREATE_ITEM_TYPES = new Set([ @@ -29,10 +30,23 @@ const CREATE_ITEM_TYPES = new Set([ "autofix_code_scanning_alert", ]); +/** + * Safe output types that should NEVER be logged to the manifest. + * These types represent metadata signals rather than GitHub state changes: + * - noop: no-op message, produces no GitHub side effects + * - missing_tool: records a missing tool capability (metadata only) + * - missing_data: records missing required data (metadata only) + * + * All other types — built-in handler types, custom safe job types, and + * any future types — are logged automatically without needing to update this list. + * @type {Set} + */ +const NOT_LOGGED_TYPES = new Set(["noop", "missing_tool", "missing_data"]); + /** * @typedef {Object} ManifestEntry * @property {string} type - The safe output type (e.g., "create_issue") - * @property {string} url - URL of the created item in GitHub + * @property {string} [url] - URL of the affected item in GitHub (present for creation types; omitted for modification types that don't return a URL) * @property {number} [number] - Issue/PR/discussion number if applicable * @property {string} [repo] - Repository slug (owner/repo) if applicable * @property {string} [temporaryId] - Temporary ID assigned to this item, if any @@ -40,7 +54,7 @@ const CREATE_ITEM_TYPES = new Set([ */ /** - * Create a manifest logger function for recording created items. + * Create a manifest logger function for recording executed safe output items. * * The logger writes JSONL entries to the specified manifest file. * It is designed to be easily testable by accepting the file path as a parameter. @@ -54,18 +68,17 @@ function createManifestLogger(manifestFile = MANIFEST_FILE_PATH) { ensureManifestExists(manifestFile); /** - * Log a created item to the manifest file. - * Items without a URL are silently skipped. + * Log an executed safe output item to the manifest file. * - * @param {{type: string, url?: string, number?: number, repo?: string, temporaryId?: string}} item - Created item details + * @param {{type: string, url?: string, number?: number, repo?: string, temporaryId?: string}} item - Executed item details */ return function logCreatedItem(item) { - if (!item || !item.url) return; + if (!item) return; /** @type {ManifestEntry} */ const entry = { type: item.type, - url: item.url, + ...(item.url ? { url: item.url } : {}), ...(item.number != null ? { number: item.number } : {}), ...(item.repo ? { repo: item.repo } : {}), ...(item.temporaryId ? { temporaryId: item.temporaryId } : {}), @@ -99,27 +112,31 @@ function ensureManifestExists(manifestFile = MANIFEST_FILE_PATH) { } /** - * Extract created item details from a handler result for manifest logging. - * Returns null if the result does not represent a created item with a URL, - * or if the result is from a staged (preview) run where no item was actually created. + * Extract executed item details from a handler result for manifest logging. + * Returns null if the type is explicitly excluded (NOT_LOGGED_TYPES) or if the + * result is from a staged (preview) run where no item was actually modified. + * + * All other types — built-in handlers, custom safe job types, and future types — + * are logged automatically. For creation types (CREATE_ITEM_TYPES), the result + * URL is included when present. For modification types (e.g. add_labels, + * close_issue), the URL is optional. * * @param {string} type - The handler type (e.g., "create_issue") * @param {any} result - The handler result object - * @returns {{type: string, url: string, number?: number, repo?: string, temporaryId?: string}|null} + * @returns {{type: string, url?: string, number?: number, repo?: string, temporaryId?: string}|null} */ function extractCreatedItemFromResult(type, result) { - if (!result || !CREATE_ITEM_TYPES.has(type)) return null; + if (!result || NOT_LOGGED_TYPES.has(type)) return null; - // In staged mode (🎭 Staged Mode Preview), no item was actually created in GitHub — skip logging + // In staged mode (🎭 Staged Mode Preview), no item was actually modified in GitHub — skip logging if (result.staged === true) return null; - // Normalize URL from different result shapes + // Normalize URL from different result shapes (present for creation types) const url = result.url || result.projectUrl || result.html_url; - if (!url) return null; return { type, - url, + ...(url ? { url } : {}), ...(result.number != null ? { number: result.number } : {}), ...(result.repo ? { repo: result.repo } : {}), ...(result.temporaryId ? { temporaryId: result.temporaryId } : {}), @@ -129,6 +146,7 @@ function extractCreatedItemFromResult(type, result) { module.exports = { MANIFEST_FILE_PATH, CREATE_ITEM_TYPES, + NOT_LOGGED_TYPES, createManifestLogger, ensureManifestExists, extractCreatedItemFromResult, diff --git a/actions/setup/js/safe_output_manifest.test.cjs b/actions/setup/js/safe_output_manifest.test.cjs index 07c76b58e1..dd98cb273c 100644 --- a/actions/setup/js/safe_output_manifest.test.cjs +++ b/actions/setup/js/safe_output_manifest.test.cjs @@ -2,7 +2,7 @@ import { describe, it, expect, beforeEach, afterEach } from "vitest"; import fs from "fs"; import path from "path"; -import { MANIFEST_FILE_PATH, CREATE_ITEM_TYPES, createManifestLogger, ensureManifestExists, extractCreatedItemFromResult } from "./safe_output_manifest.cjs"; +import { MANIFEST_FILE_PATH, CREATE_ITEM_TYPES, NOT_LOGGED_TYPES, createManifestLogger, ensureManifestExists, extractCreatedItemFromResult } from "./safe_output_manifest.cjs"; describe("safe_output_manifest", () => { let testManifestFile; @@ -47,6 +47,33 @@ describe("safe_output_manifest", () => { }); }); + describe("NOT_LOGGED_TYPES", () => { + it("should contain only noop and internal meta types", () => { + expect(NOT_LOGGED_TYPES.has("noop")).toBe(true); + expect(NOT_LOGGED_TYPES.has("missing_tool")).toBe(true); + expect(NOT_LOGGED_TYPES.has("missing_data")).toBe(true); + }); + + it("should not contain any handler or modification types (all are logged by default)", () => { + expect(NOT_LOGGED_TYPES.has("create_issue")).toBe(false); + expect(NOT_LOGGED_TYPES.has("add_labels")).toBe(false); + expect(NOT_LOGGED_TYPES.has("close_issue")).toBe(false); + expect(NOT_LOGGED_TYPES.has("update_issue")).toBe(false); + }); + + it("should not contain CREATE_ITEM_TYPES (they are logged)", () => { + for (const type of CREATE_ITEM_TYPES) { + expect(NOT_LOGGED_TYPES.has(type)).toBe(false); + } + }); + + it("should allow custom safe job types to be logged automatically (not in exclusion list)", () => { + // Custom safe job types are never added to NOT_LOGGED_TYPES so they are always logged + expect(NOT_LOGGED_TYPES.has("my_custom_job_type")).toBe(false); + expect(NOT_LOGGED_TYPES.has("deploy_to_staging")).toBe(false); + }); + }); + describe("createManifestLogger", () => { it("should append a JSONL entry when called with a url", () => { const log = createManifestLogger(testManifestFile); @@ -67,13 +94,19 @@ describe("safe_output_manifest", () => { expect(Date.parse(entry.timestamp)).not.toBeNaN(); }); - it("should skip items without a url", () => { + it("should append a JSONL entry for an item without a url (modification type)", () => { const log = createManifestLogger(testManifestFile); - log({ type: "create_issue", url: undefined }); + log({ type: "add_labels", number: 20875 }); - // File is created by createManifestLogger() immediately, but should be empty - expect(fs.existsSync(testManifestFile)).toBe(true); - expect(fs.readFileSync(testManifestFile, "utf8")).toBe(""); + const content = fs.readFileSync(testManifestFile, "utf8"); + const lines = content.trim().split("\n"); + expect(lines).toHaveLength(1); + + const entry = JSON.parse(lines[0]); + expect(entry.type).toBe("add_labels"); + expect(entry.url).toBeUndefined(); + expect(entry.number).toBe(20875); + expect(entry.timestamp).toBeDefined(); }); it("should skip null/undefined items", () => { @@ -194,20 +227,45 @@ describe("safe_output_manifest", () => { expect(item.type).toBe("add_comment"); }); - it("should return null for non-create types", () => { + it("should return null for excluded types (noop and internal meta types)", () => { const result = { success: true, url: "https://github.com/owner/repo/issues/1" }; - expect(extractCreatedItemFromResult("update_issue", result)).toBeNull(); - expect(extractCreatedItemFromResult("close_issue", result)).toBeNull(); - expect(extractCreatedItemFromResult("add_labels", result)).toBeNull(); expect(extractCreatedItemFromResult("noop", result)).toBeNull(); + expect(extractCreatedItemFromResult("missing_tool", result)).toBeNull(); + expect(extractCreatedItemFromResult("missing_data", result)).toBeNull(); }); - it("should return null for staged results (no item actually created)", () => { - // Staged results have staged: true and no URL — nothing was really created + it("should extract item from custom safe job type (generic: any type not excluded is logged)", () => { + const result = { success: true, number: 42 }; + const item = extractCreatedItemFromResult("my_custom_job_type", result); + expect(item).not.toBeNull(); + expect(item.type).toBe("my_custom_job_type"); + expect(item.number).toBe(42); + }); + + it("should extract item from add_labels result (modification type without url)", () => { + const result = { success: true, number: 20875, labelsAdded: ["bug", "cli"], contextType: "issue" }; + const item = extractCreatedItemFromResult("add_labels", result); + expect(item).not.toBeNull(); + expect(item.type).toBe("add_labels"); + expect(item.url).toBeUndefined(); + expect(item.number).toBe(20875); + }); + + it("should extract item from close_issue result (modification type with url)", () => { + const result = { success: true, number: 123, url: "https://github.com/owner/repo/issues/123", title: "Test" }; + const item = extractCreatedItemFromResult("close_issue", result); + expect(item).not.toBeNull(); + expect(item.type).toBe("close_issue"); + expect(item.url).toBe("https://github.com/owner/repo/issues/123"); + expect(item.number).toBe(123); + }); + + it("should return null for staged results (no item actually modified)", () => { + // Staged results have staged: true — nothing was really changed const stagedResult = { success: true, staged: true, previewInfo: { repo: "owner/repo", title: "Test" } }; expect(extractCreatedItemFromResult("create_issue", stagedResult)).toBeNull(); expect(extractCreatedItemFromResult("add_comment", stagedResult)).toBeNull(); - expect(extractCreatedItemFromResult("create_discussion", stagedResult)).toBeNull(); + expect(extractCreatedItemFromResult("add_labels", stagedResult)).toBeNull(); }); it("should return null for staged results even if url is somehow present", () => { @@ -216,9 +274,12 @@ describe("safe_output_manifest", () => { expect(extractCreatedItemFromResult("create_issue", stagedResultWithUrl)).toBeNull(); }); - it("should return null when result has no URL", () => { + it("should return item without url when result has no URL (for logged types)", () => { const result = { success: true, repo: "owner/repo", number: 1 }; - expect(extractCreatedItemFromResult("create_issue", result)).toBeNull(); + const item = extractCreatedItemFromResult("create_issue", result); + expect(item).not.toBeNull(); + expect(item.url).toBeUndefined(); + expect(item.number).toBe(1); }); it("should return null for null/undefined result", () => { diff --git a/actions/setup/js/safe_outputs_mcp_server_http.cjs b/actions/setup/js/safe_outputs_mcp_server_http.cjs index 8f6bbdf930..7abf584111 100644 --- a/actions/setup/js/safe_outputs_mcp_server_http.cjs +++ b/actions/setup/js/safe_outputs_mcp_server_http.cjs @@ -337,6 +337,13 @@ async function startHttpServer(options = {}) { } }); + // Disable all HTTP server timeouts to prevent idle connections from being dropped + // during long agent runs where safe-output tools may not be called for several minutes. + httpServer.timeout = 0; + httpServer.keepAliveTimeout = 0; + httpServer.headersTimeout = 0; + httpServer.requestTimeout = 0; + // Start listening logger.debug(`Attempting to bind to port ${port}...`); httpServer.listen(port, () => { diff --git a/actions/setup/sh/configure_gh_for_ghe.sh b/actions/setup/sh/configure_gh_for_ghe.sh new file mode 100755 index 0000000000..e61fc924d3 --- /dev/null +++ b/actions/setup/sh/configure_gh_for_ghe.sh @@ -0,0 +1,122 @@ +#!/usr/bin/env bash +# Configure gh CLI for GitHub Enterprise +# +# This script configures the gh CLI to work with GitHub Enterprise environments +# by detecting the GitHub host from environment variables and setting up gh to +# authenticate with that host. +# +# Environment variables checked (in priority order): +# 1. GITHUB_SERVER_URL - GitHub Actions standard (e.g., https://MYORG.ghe.com) +# 2. GITHUB_ENTERPRISE_HOST - GitHub Enterprise standard (e.g., MYORG.ghe.com) +# 3. GITHUB_HOST - GitHub Enterprise standard (e.g., MYORG.ghe.com) +# 4. GH_HOST - GitHub CLI standard (e.g., MYORG.ghe.com) +# +# If none are set, defaults to github.com (public GitHub). + +ORIGINAL_SHELL_FLAGS="$-" +set -e + +# Function to normalize GitHub host URL +normalize_github_host() { + local host="$1" + + # Remove trailing slashes + host="${host%/}" + + # Extract hostname from URL if it's a full URL + if [[ "$host" =~ ^https?:// ]]; then + host="${host#http://}" + host="${host#https://}" + host="${host%%/*}" + fi + + echo "$host" +} + +# Detect GitHub host from environment variables +detect_github_host() { + local host="" + + if [ -n "${GITHUB_SERVER_URL}" ]; then + host=$(normalize_github_host "${GITHUB_SERVER_URL}") + echo "Detected GitHub host from GITHUB_SERVER_URL: ${host}" >&2 + elif [ -n "${GITHUB_ENTERPRISE_HOST}" ]; then + host=$(normalize_github_host "${GITHUB_ENTERPRISE_HOST}") + echo "Detected GitHub host from GITHUB_ENTERPRISE_HOST: ${host}" >&2 + elif [ -n "${GITHUB_HOST}" ]; then + host=$(normalize_github_host "${GITHUB_HOST}") + echo "Detected GitHub host from GITHUB_HOST: ${host}" >&2 + elif [ -n "${GH_HOST}" ]; then + host=$(normalize_github_host "${GH_HOST}") + echo "Detected GitHub host from GH_HOST: ${host}" >&2 + else + host="github.com" + echo "No GitHub host environment variable set, using default: ${host}" >&2 + fi + + echo "$host" +} + +# Main configuration +main() { + local github_host + github_host=$(detect_github_host) + + # If the host is github.com, no configuration is needed + if [ "$github_host" = "github.com" ]; then + echo "Using public GitHub (github.com) - no additional gh configuration needed" + return 0 + fi + + echo "Configuring gh CLI for GitHub Enterprise host: ${github_host}" + + # Check if gh is installed + if ! command -v gh &> /dev/null; then + echo "::error::gh CLI is not installed. Please install gh CLI to use with GitHub Enterprise." + exit 1 + fi + + # Check if GH_TOKEN is set + if [ -z "${GH_TOKEN}" ]; then + echo "::error::GH_TOKEN environment variable is not set. gh CLI requires authentication." + exit 1 + fi + + # Configure gh to use the enterprise host + # We use 'gh auth login' with the token to configure the host + echo "Authenticating gh CLI with host: ${github_host}" + + # Use gh auth login with --with-token to configure the host + # This sets up gh to use the correct API endpoint for the enterprise host + echo "${GH_TOKEN}" | gh auth login --hostname "${github_host}" --with-token + + if [ $? -eq 0 ]; then + echo "✓ Successfully configured gh CLI for ${github_host}" + + # Verify the configuration + if gh auth status --hostname "${github_host}" &> /dev/null; then + echo "✓ Verified gh CLI authentication for ${github_host}" + else + echo "::warning::gh CLI configured but authentication verification failed" + fi + else + echo "::error::Failed to configure gh CLI for ${github_host}" + exit 1 + fi + + # Set GH_HOST environment variable to ensure gh uses the correct host for subsequent commands + export GH_HOST="${github_host}" + if [ -n "${GITHUB_ENV:-}" ]; then + echo "GH_HOST=${github_host}" >> "${GITHUB_ENV}" + fi + echo "✓ Set GH_HOST environment variable to ${github_host}" +} + +# Run main function +main + +# Restore original errexit state so sourcing this script does not leak set -e +case "$ORIGINAL_SHELL_FLAGS" in + *e*) set -e ;; + *) set +e ;; +esac diff --git a/actions/setup/sh/configure_gh_for_ghe_test.sh b/actions/setup/sh/configure_gh_for_ghe_test.sh new file mode 100755 index 0000000000..2de3fec315 --- /dev/null +++ b/actions/setup/sh/configure_gh_for_ghe_test.sh @@ -0,0 +1,105 @@ +#!/usr/bin/env bash +# Test script for configure_gh_for_ghe.sh + +set -e + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +CONFIGURE_GH_SCRIPT="${SCRIPT_DIR}/configure_gh_for_ghe.sh" + +echo "Testing configure_gh_for_ghe.sh" +echo "================================" + +# Test 1: Check script exists and is executable +echo "" +echo "Test 1: Checking script exists and is executable..." +if [ ! -f "${CONFIGURE_GH_SCRIPT}" ]; then + echo "FAIL: Script not found at ${CONFIGURE_GH_SCRIPT}" + exit 1 +fi + +if [ ! -x "${CONFIGURE_GH_SCRIPT}" ]; then + echo "FAIL: Script is not executable" + exit 1 +fi +echo "PASS: Script exists and is executable" + +# Test 2: Test with github.com (should skip configuration) +echo "" +echo "Test 2: Testing with github.com (should skip configuration)..." +unset GITHUB_SERVER_URL GITHUB_ENTERPRISE_HOST GITHUB_HOST GH_HOST +output=$(bash -c "source ${CONFIGURE_GH_SCRIPT}" 2>&1) +if echo "$output" | grep -q "Using public GitHub (github.com)"; then + echo "PASS: Correctly detected github.com and skipped configuration" +else + echo "FAIL: Did not detect github.com correctly" + echo "Output: $output" + exit 1 +fi + +# Test 3: Test host detection from GITHUB_SERVER_URL +echo "" +echo "Test 3: Testing host detection from GITHUB_SERVER_URL..." +export GITHUB_SERVER_URL="https://myorg.ghe.com" +export GH_TOKEN="test-token" +# Use the real detect_github_host implementation from configure_gh_for_ghe.sh +output=$(bash -c "source '${CONFIGURE_GH_SCRIPT}'; detect_github_host" 2>&1) +if [ "$output" = "myorg.ghe.com" ]; then + echo "PASS: Correctly extracted host from GITHUB_SERVER_URL" +else + echo "FAIL: Did not extract host correctly. Got: $output" + exit 1 +fi + +# Test 4: Test host detection from GITHUB_ENTERPRISE_HOST +echo "" +echo "Test 4: Testing host detection from GITHUB_ENTERPRISE_HOST..." +unset GITHUB_SERVER_URL +export GITHUB_ENTERPRISE_HOST="enterprise.github.com" +# Use the real detect_github_host implementation from configure_gh_for_ghe.sh +output=$(bash -c "source '${CONFIGURE_GH_SCRIPT}'; detect_github_host" 2>&1) +if [ "$output" = "enterprise.github.com" ]; then + echo "PASS: Correctly extracted host from GITHUB_ENTERPRISE_HOST" +else + echo "FAIL: Did not extract host correctly. Got: $output" + exit 1 +fi + +# Test 5: Test URL normalization +echo "" +echo "Test 5: Testing URL normalization..." +declare -A test_cases=( + ["https://myorg.ghe.com"]="myorg.ghe.com" + ["http://myorg.ghe.com"]="myorg.ghe.com" + ["https://myorg.ghe.com/"]="myorg.ghe.com" + ["myorg.ghe.com"]="myorg.ghe.com" + ["https://github.enterprise.com/api/v3"]="github.enterprise.com" +) + +for input in "${!test_cases[@]}"; do + expected="${test_cases[$input]}" + output=$(bash -c " + normalize_github_host() { + local host=\"\$1\" + host=\"\${host%/}\" + if [[ \"\$host\" =~ ^https?:// ]]; then + host=\"\${host#http://}\" + host=\"\${host#https://}\" + host=\"\${host%%/*}\" + fi + echo \"\$host\" + } + normalize_github_host '$input' + " 2>&1) + + if [ "$output" = "$expected" ]; then + echo " PASS: '$input' -> '$output'" + else + echo " FAIL: '$input' -> '$output' (expected '$expected')" + exit 1 + fi +done + +echo "" +echo "================================" +echo "All tests passed!" +echo "================================" diff --git a/docs/src/content/docs/reference/tools.md b/docs/src/content/docs/reference/tools.md index d32f566cec..70b1e3a188 100644 --- a/docs/src/content/docs/reference/tools.md +++ b/docs/src/content/docs/reference/tools.md @@ -131,43 +131,16 @@ mcp-servers: ### Registry Field -The `registry` field specifies the URI to an MCP server's installation location in an MCP registry. This is useful for documenting the source of an MCP server and can be used by tooling to discover and install MCP servers: +The `registry` field specifies the source URI of an MCP server in a registry. It is informational — useful for documenting server origin and enabling registry-aware tooling — and does not affect execution. Works with both stdio and HTTP servers: ```yaml wrap -mcp-servers: - markitdown: - registry: "https://api.mcp.github.com/v0/servers/microsoft/markitdown" - command: "npx" - args: ["-y", "@microsoft/markitdown"] -``` - -**When to use**: - -- **Document server source**: Include `registry` to indicate where the MCP server is published -- **Registry-aware tooling**: Some tools may use the registry URI for discovery and version management -- **Both stdio and HTTP servers**: Works with both `command`-based stdio servers and `url`-based HTTP servers - -**Examples**: - -```yaml wrap -# Stdio server with registry mcp-servers: filesystem: registry: "https://api.mcp.github.com/v0/servers/modelcontextprotocol/filesystem" command: "npx" args: ["-y", "@modelcontextprotocol/server-filesystem"] - -# HTTP server with registry -mcp-servers: - custom-api: - registry: "https://registry.example.com/servers/custom-api" - url: "https://api.example.com/mcp" - headers: - Authorization: "Bearer ${{ secrets.API_TOKEN }}" ``` -The `registry` field is informational and does not affect server execution. It complements other configuration fields like `command`, `args`, `container`, or `url`. - ## Related Documentation - [GitHub Tools](/gh-aw/reference/github-tools/) - GitHub API operations, toolsets, and modes @@ -178,6 +151,3 @@ The `registry` field is informational and does not affect server execution. It c - [Frontmatter](/gh-aw/reference/frontmatter/) - All frontmatter configuration options - [Network Permissions](/gh-aw/reference/network/) - Network access control for AI engines - [MCPs](/gh-aw/guides/mcps/) - Complete Model Context Protocol setup and usage -- [CLI Commands](/gh-aw/setup/cli/) - CLI commands for workflow management -- [Workflow Structure](/gh-aw/reference/workflow-structure/) - Directory layout and organization -- [Imports](/gh-aw/reference/imports/) - Modularizing workflows with includes diff --git a/docs/src/content/docs/setup/cli.md b/docs/src/content/docs/setup/cli.md index 03b7aa139f..e49abbe536 100644 --- a/docs/src/content/docs/setup/cli.md +++ b/docs/src/content/docs/setup/cli.md @@ -75,6 +75,30 @@ gh auth login --hostname github.enterprise.com # Authenticate gh aw logs workflow --repo github.enterprise.com/owner/repo # Use with commands ``` +Commands that support `--create-pull-request` (such as `gh aw add`, `gh aw add-wizard`, `gh aw init`, `gh aw update`, and `gh aw upgrade`) automatically detect the enterprise host from the git remote and route PR creation to the correct GHES instance. No extra flags are needed. + +#### Configuring `gh` CLI in workflow steps on GHES + +When agentic workflows run on GitHub Enterprise Server and use custom `steps:` that invoke `gh` CLI commands, source the bundled helper script to configure `gh` for the enterprise host: + +```yaml wrap +steps: + - name: Configure gh for GHE + run: source /opt/gh-aw/actions/configure_gh_for_ghe.sh + + - name: Fetch repository data + env: + GH_TOKEN: ${{ github.token }} + run: | + gh issue list --state open --limit 500 --json number,labels + gh pr list --state open --limit 200 --json number,title +``` + +The script automatically detects the GitHub host from the `GITHUB_SERVER_URL` environment variable (set by GitHub Actions on GHES) and configures `gh` to authenticate against it. No manual configuration is needed for standard GHES deployments. The script is installed to `/opt/gh-aw/actions/configure_gh_for_ghe.sh` by the setup action. + +> [!NOTE] +> Custom steps run outside the agent firewall sandbox and have access to standard GitHub Actions environment variables including `GITHUB_SERVER_URL`, `GITHUB_TOKEN`, and `GH_TOKEN`. + ## Global Options | Flag | Description | diff --git a/pkg/cli/audit_report.go b/pkg/cli/audit_report.go index 355f4ae809..9c4d7bf223 100644 --- a/pkg/cli/audit_report.go +++ b/pkg/cli/audit_report.go @@ -105,10 +105,12 @@ type FileInfo struct { Description string `json:"description"` } -// CreatedItemReport represents a single item created in GitHub by a safe output handler +// CreatedItemReport represents a single item executed in GitHub by a safe output handler. +// URL is present for creation types (e.g. create_issue, add_comment) but may be empty +// for modification types (e.g. add_labels, close_issue) that do not return a URL. type CreatedItemReport struct { Type string `json:"type" console:"header:Type"` - URL string `json:"url" console:"header:URL"` + URL string `json:"url,omitempty" console:"header:URL,omitempty"` Number int `json:"number,omitempty" console:"header:Number,omitempty"` Repo string `json:"repo,omitempty" console:"header:Repo,omitempty"` TemporaryID string `json:"temporaryId,omitempty" console:"header:Temp ID,omitempty"` @@ -409,7 +411,7 @@ func extractCreatedItemsFromManifest(logsPath string) []CreatedItemReport { auditReportLog.Printf("Skipping invalid manifest line: %v", err) continue } - if item.URL == "" { + if item.Type == "" { continue } items = append(items, item) diff --git a/pkg/cli/audit_report_test.go b/pkg/cli/audit_report_test.go index a23203d9f8..ddec7b6ddc 100644 --- a/pkg/cli/audit_report_test.go +++ b/pkg/cli/audit_report_test.go @@ -1150,16 +1150,31 @@ func TestExtractCreatedItemsFromManifest(t *testing.T) { assert.Equal(t, "add_comment", items[1].Type) }) - t.Run("skips entries without URL", func(t *testing.T) { + t.Run("includes entries without URL (modification types like add_labels)", func(t *testing.T) { dir := t.TempDir() - content := `{"type":"create_issue","url":"","timestamp":"2024-01-01T00:00:00Z"} + content := `{"type":"add_labels","number":20875,"timestamp":"2024-01-01T00:00:00Z"} {"type":"create_issue","url":"https://github.com/owner/repo/issues/2","timestamp":"2024-01-01T00:01:00Z"} ` require.NoError(t, os.WriteFile(filepath.Join(dir, safeOutputItemsManifestFilename), []byte(content), 0600)) items := extractCreatedItemsFromManifest(dir) - require.Len(t, items, 1, "should skip entry with empty URL") - assert.Equal(t, "https://github.com/owner/repo/issues/2", items[0].URL) + require.Len(t, items, 2, "should include both entries: one without URL and one with URL") + assert.Equal(t, "add_labels", items[0].Type) + assert.Empty(t, items[0].URL) + assert.Equal(t, 20875, items[0].Number) + assert.Equal(t, "https://github.com/owner/repo/issues/2", items[1].URL) + }) + + t.Run("skips entries without type field", func(t *testing.T) { + dir := t.TempDir() + content := `{"url":"https://github.com/owner/repo/issues/1","timestamp":"2024-01-01T00:00:00Z"} +{"type":"add_comment","url":"https://github.com/owner/repo/issues/1#issuecomment-1","timestamp":"2024-01-01T00:02:00Z"} +` + require.NoError(t, os.WriteFile(filepath.Join(dir, safeOutputItemsManifestFilename), []byte(content), 0600)) + + items := extractCreatedItemsFromManifest(dir) + require.Len(t, items, 1, "should skip entry without type and parse 1 valid one") + assert.Equal(t, "add_comment", items[0].Type) }) t.Run("skips invalid JSON lines", func(t *testing.T) { diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go index c0236f25c3..c7071672ca 100644 --- a/pkg/cli/copilot_setup.go +++ b/pkg/cli/copilot_setup.go @@ -299,6 +299,32 @@ func renderCopilotSetupUpdateInstructions(filePath string, actionMode workflow.A var setupCliUsesPattern = regexp.MustCompile( `(?m)^(\s+uses:[ \t]*)"?(github/gh-aw(?:-actions)?/(?:actions/)?setup-cli@[^"\n]*)"?([ \t]*)$`) +// versionInWithPattern matches the version: parameter in the with: block that immediately +// follows any setup-cli uses: line (any ref format: version tag, SHA-pinned, or quoted). +// It is anchored to the same action repos as setupCliUsesPattern so that it only updates +// the version belonging to the setup-cli step, but is independent of the exact ref value. +// This allows it to correct pre-existing drift where the uses: comment and with: version: +// were already out of sync before the upgrade was run. +// +// Pattern breakdown: +// +// [ \t]+uses:[ \t]* — indented uses: key with optional surrounding spaces +// "?github/gh-aw(?:-actions)?/(?:actions/)?setup-cli@[^"\n]*"? +// — any setup-cli ref (version tag, SHA+comment, or quoted) +// [^\n]*\n — rest of the uses: line (e.g. trailing spaces) +// (?:[^\n]*\n)*? — zero or more lines between uses: and with: (non-greedy) +// [ \t]+with:[ \t]*\n — indented with: key +// (?:[^\n]*\n)*? — zero or more lines between with: and version: (non-greedy) +// [ \t]+version:[ \t]* — indented version: key (final part of the prefix captured as group 1) +// (\S+) — the version value (captured as group 2) +// ([ \t]*(?:\n|$)) — trailing whitespace and line terminator (captured as group 3) +// +// Note: In the full pattern, group 1 wraps the entire prefix from the setup-cli `uses:` line +// through the `version:` key (and following spaces), group 2 is just the version value, and +// group 3 is the trailing whitespace plus the line terminator. +var versionInWithPattern = regexp.MustCompile( + `(?s)([ \t]+uses:[ \t]*"?github/gh-aw(?:-actions)?/(?:actions/)?setup-cli@[^"\n]*"?[^\n]*\n(?:[^\n]*\n)*?[ \t]+with:[ \t]*\n(?:[^\n]*\n)*?[ \t]+version:[ \t]*)(\S+)([ \t]*(?:\n|$))`) + // upgradeSetupCliVersionInContent replaces the setup-cli action reference and the // associated version: parameter in the raw YAML content using targeted regex // substitutions, preserving all other formatting in the file. @@ -325,13 +351,9 @@ func upgradeSetupCliVersionInContent(content []byte, actionMode workflow.ActionM updated := setupCliUsesPattern.ReplaceAll(content, []byte("${1}"+newUses+"${3}")) // Replace the version: value in the with: block immediately following the - // setup-cli uses: line. A combined multiline match is used so that only the - // version: parameter belonging to this specific step is updated. - // This pattern cannot be pre-compiled at package level because it embeds - // the runtime value newUses (which varies with version and resolver output). - escapedNewUses := regexp.QuoteMeta(newUses) - versionInWithPattern := regexp.MustCompile( - `(?s)(uses:[ \t]*` + escapedNewUses + `[^\n]*\n(?:[^\n]*\n)*?[ \t]+with:[ \t]*\n(?:[^\n]*\n)*?[ \t]+version:[ \t]*)(\S+)([ \t]*(?:\n|$))`) + // setup-cli uses: line. versionInWithPattern matches any valid setup-cli + // reference so it succeeds even when there was pre-existing drift between + // the uses: comment and the version: parameter before the upgrade was run. updated = versionInWithPattern.ReplaceAll(updated, []byte("${1}"+version+"${3}")) if bytes.Equal(content, updated) { diff --git a/pkg/cli/copilot_setup_test.go b/pkg/cli/copilot_setup_test.go index 8428043543..84c801d7e8 100644 --- a/pkg/cli/copilot_setup_test.go +++ b/pkg/cli/copilot_setup_test.go @@ -1141,6 +1141,61 @@ jobs: resolver: nil, expectUpgrade: false, }, + { + name: "corrects drift: SHA-pinned uses comment ahead of with: version:", + content: `jobs: + copilot-setup-steps: + steps: + - name: Install gh-aw extension + uses: github/gh-aw/actions/setup-cli@cb7966564184443e601bd6135d5fbb534300070e # v0.58.0 + with: + version: v0.53.6 +`, + actionMode: workflow.ActionModeRelease, + version: "v0.60.0", + resolver: &mockSHAResolver{sha: "newsha123"}, + expectUpgrade: true, + validate: func(t *testing.T, got string) { + if !strings.Contains(got, "uses: github/gh-aw/actions/setup-cli@newsha123 # v0.60.0") { + t.Errorf("Expected updated SHA-pinned uses: line, got:\n%s", got) + } + if !strings.Contains(got, "version: v0.60.0") { + t.Errorf("Expected with: version: updated to v0.60.0, got:\n%s", got) + } + if strings.Contains(got, "v0.53.6") { + t.Errorf("Stale version v0.53.6 should be gone, got:\n%s", got) + } + if strings.Contains(got, "v0.58.0") { + t.Errorf("Old comment version v0.58.0 should be gone, got:\n%s", got) + } + }, + }, + { + name: "corrects drift: version-tag uses ahead of with: version:", + content: `jobs: + copilot-setup-steps: + steps: + - name: Install gh-aw extension + uses: github/gh-aw/actions/setup-cli@v0.58.0 + with: + version: v0.53.6 +`, + actionMode: workflow.ActionModeRelease, + version: "v0.60.0", + resolver: nil, + expectUpgrade: true, + validate: func(t *testing.T, got string) { + if !strings.Contains(got, "uses: github/gh-aw/actions/setup-cli@v0.60.0") { + t.Errorf("Expected updated uses: line, got:\n%s", got) + } + if !strings.Contains(got, "version: v0.60.0") { + t.Errorf("Expected with: version: updated to v0.60.0, got:\n%s", got) + } + if strings.Contains(got, "v0.53.6") { + t.Errorf("Stale version v0.53.6 should be gone, got:\n%s", got) + } + }, + }, } for _, tt := range tests { diff --git a/pkg/cli/git.go b/pkg/cli/git.go index 725c4d2aff..0ca4c85b40 100644 --- a/pkg/cli/git.go +++ b/pkg/cli/git.go @@ -87,6 +87,60 @@ func parseGitHubRepoSlugFromURL(url string) string { return "" } +// extractHostFromRemoteURL extracts the host (optionally including port) from a git remote URL. +// Supports HTTPS (https://host[:port]/path), HTTP (http://host[:port]/path), and SSH (git@host[:port]:path or ssh://git@host[:port]/path) formats. +// Returns the host portion as "host[:port]" when parsed, or "github.com" as the default if the URL cannot be parsed. +func extractHostFromRemoteURL(remoteURL string) string { + // HTTPS / HTTP format: https://host/path or http://host/path + for _, scheme := range []string{"https://", "http://"} { + if after, ok := strings.CutPrefix(remoteURL, scheme); ok { + if host, _, found := strings.Cut(after, "/"); found { + return host + } + return after + } + } + + // SSH scp-like format: git@host:path + if after, ok := strings.CutPrefix(remoteURL, "git@"); ok { + if host, _, found := strings.Cut(after, ":"); found { + return host + } + } + + // SSH URL format: ssh://git@host/path or ssh://host/path + if after, ok := strings.CutPrefix(remoteURL, "ssh://"); ok { + // Strip optional user info (e.g. "git@") + if _, userStripped, hasAt := strings.Cut(after, "@"); hasAt { + after = userStripped + } + if host, _, found := strings.Cut(after, "/"); found { + return host + } + return after + } + + return "github.com" +} + +// getHostFromOriginRemote returns the hostname of the git origin remote. +// For example, a remote URL of "https://ghes.example.com/org/repo.git" returns "ghes.example.com", +// and "git@github.com:owner/repo.git" returns "github.com". +// Returns "github.com" as the default if the remote URL cannot be determined. +func getHostFromOriginRemote() string { + cmd := exec.Command("git", "config", "--get", "remote.origin.url") + output, err := cmd.Output() + if err != nil { + gitLog.Printf("Failed to get remote origin URL: %v", err) + return "github.com" + } + + remoteURL := strings.TrimSpace(string(output)) + host := extractHostFromRemoteURL(remoteURL) + gitLog.Printf("Detected GitHub host from remote origin: %s", host) + return host +} + // getRepositorySlugFromRemote extracts the repository slug (owner/repo) from git remote URL func getRepositorySlugFromRemote() string { gitLog.Print("Getting repository slug from git remote") diff --git a/pkg/cli/git_test.go b/pkg/cli/git_test.go index 1158e8524e..73b42c4845 100644 --- a/pkg/cli/git_test.go +++ b/pkg/cli/git_test.go @@ -453,3 +453,130 @@ func TestCheckWorkflowFileStatusNotInRepo(t *testing.T) { t.Error("Expected empty status when not in git repository") } } + +func TestExtractHostFromRemoteURL(t *testing.T) { + tests := []struct { + name string + url string + expected string + }{ + { + name: "public GitHub HTTPS", + url: "https://github.com/owner/repo.git", + expected: "github.com", + }, + { + name: "public GitHub SSH scp-like", + url: "git@github.com:owner/repo.git", + expected: "github.com", + }, + { + name: "GHES HTTPS", + url: "https://ghes.example.com/org/repo.git", + expected: "ghes.example.com", + }, + { + name: "GHES SSH scp-like", + url: "git@ghes.example.com:org/repo.git", + expected: "ghes.example.com", + }, + { + name: "GHES HTTPS without .git suffix", + url: "https://ghes.example.com/org/repo", + expected: "ghes.example.com", + }, + { + name: "SSH URL format with user", + url: "ssh://git@ghes.example.com/org/repo.git", + expected: "ghes.example.com", + }, + { + name: "SSH URL format without user", + url: "ssh://ghes.example.com/org/repo.git", + expected: "ghes.example.com", + }, + { + name: "HTTP URL", + url: "http://ghes.example.com/org/repo.git", + expected: "ghes.example.com", + }, + { + name: "empty URL defaults to github.com", + url: "", + expected: "github.com", + }, + { + name: "unrecognized URL defaults to github.com", + url: "not-a-url", + expected: "github.com", + }, + { + name: "GHES with port", + url: "https://ghes.example.com:8443/org/repo.git", + expected: "ghes.example.com:8443", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := extractHostFromRemoteURL(tt.url) + if got != tt.expected { + t.Errorf("extractHostFromRemoteURL(%q) = %q, want %q", tt.url, got, tt.expected) + } + }) + } +} + +func TestGetHostFromOriginRemote(t *testing.T) { + tmpDir := testutil.TempDir(t, "test-get-host-*") + + originalDir, err := os.Getwd() + if err != nil { + t.Fatalf("Failed to get current directory: %v", err) + } + defer func() { + if err := os.Chdir(originalDir); err != nil { + t.Logf("Warning: failed to restore directory: %v", err) + } + }() + + if err := os.Chdir(tmpDir); err != nil { + t.Fatalf("Failed to change to temp directory: %v", err) + } + + // Initialize a git repo + if err := exec.Command("git", "init").Run(); err != nil { + t.Skip("Git not available") + } + + t.Run("no remote defaults to github.com", func(t *testing.T) { + got := getHostFromOriginRemote() + if got != "github.com" { + t.Errorf("getHostFromOriginRemote() without remote = %q, want %q", got, "github.com") + } + }) + + t.Run("public GitHub remote", func(t *testing.T) { + if err := exec.Command("git", "remote", "add", "origin", "https://github.com/owner/repo.git").Run(); err != nil { + t.Fatalf("Failed to add remote: %v", err) + } + defer func() { _ = exec.Command("git", "remote", "remove", "origin").Run() }() + + got := getHostFromOriginRemote() + if got != "github.com" { + t.Errorf("getHostFromOriginRemote() = %q, want %q", got, "github.com") + } + }) + + t.Run("GHES remote", func(t *testing.T) { + if err := exec.Command("git", "remote", "add", "origin", "https://ghes.example.com/org/repo.git").Run(); err != nil { + t.Fatalf("Failed to add remote: %v", err) + } + defer func() { _ = exec.Command("git", "remote", "remove", "origin").Run() }() + + got := getHostFromOriginRemote() + if got != "ghes.example.com" { + t.Errorf("getHostFromOriginRemote() = %q, want %q", got, "ghes.example.com") + } + }) +} diff --git a/pkg/cli/pr_command.go b/pkg/cli/pr_command.go index df2e33fb83..0488d617cf 100644 --- a/pkg/cli/pr_command.go +++ b/pkg/cli/pr_command.go @@ -767,8 +767,18 @@ func createPR(branchName, title, body string, verbose bool) (int, string, error) fmt.Fprintln(os.Stderr, console.FormatProgressMessage("Creating PR: "+title)) } + // Detect the GitHub host from the git remote so that GitHub Enterprise Server + // repositories are targeted correctly instead of defaulting to github.com. + remoteHost := getHostFromOriginRemote() + + // Build gh repo view args, adding --hostname for GHES instances. + repoViewArgs := []string{"repo", "view", "--json", "owner,name"} + if remoteHost != "github.com" { + repoViewArgs = append(repoViewArgs, "--hostname", remoteHost) + } + // Get the current repository info to ensure PR is created in the correct repo - repoOutput, err := workflow.RunGH("Fetching repository info...", "repo", "view", "--json", "owner,name") + repoOutput, err := workflow.RunGH("Fetching repository info...", repoViewArgs...) if err != nil { return 0, "", fmt.Errorf("failed to get current repository info: %w", err) } @@ -786,8 +796,15 @@ func createPR(branchName, title, body string, verbose bool) (int, string, error) repoSpec := fmt.Sprintf("%s/%s", repoInfo.Owner.Login, repoInfo.Name) - // Explicitly specify the repository to ensure PR is created in the current repo (not upstream) - output, err := workflow.RunGH("Creating pull request...", "pr", "create", "--repo", repoSpec, "--title", title, "--body", body, "--head", branchName) + // Build gh pr create args. Explicitly specifying --repo ensures the PR is created in the + // current repo (not an upstream fork). For GHES instances, --hostname routes the request + // to the correct GitHub Enterprise host instead of defaulting to github.com. + prCreateArgs := []string{"pr", "create", "--repo", repoSpec, "--title", title, "--body", body, "--head", branchName} + if remoteHost != "github.com" { + prCreateArgs = append(prCreateArgs, "--hostname", remoteHost) + } + + output, err := workflow.RunGH("Creating pull request...", prCreateArgs...) if err != nil { // Try to get stderr for better error reporting var exitError *exec.ExitError diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 6686507737..b9e270b7b1 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -358,7 +358,7 @@ const AWFProxyLogsDir = "/tmp/gh-aw/sandbox/firewall/logs" const AWFDefaultLogLevel = "info" // DefaultMCPGatewayVersion is the default version of the MCP Gateway (gh-aw-mcpg) Docker image -const DefaultMCPGatewayVersion Version = "v0.1.14" +const DefaultMCPGatewayVersion Version = "v0.1.15" // DefaultMCPGatewayContainer is the default container image for the MCP Gateway const DefaultMCPGatewayContainer = "ghcr.io/github/gh-aw-mcpg" diff --git a/pkg/workflow/safe_outputs_config_generation.go b/pkg/workflow/safe_outputs_config_generation.go index 2f8328c530..ea26611424 100644 --- a/pkg/workflow/safe_outputs_config_generation.go +++ b/pkg/workflow/safe_outputs_config_generation.go @@ -105,6 +105,27 @@ func generateSafeOutputsConfig(data *WorkflowData) string { additionalFields, ) } + if data.SafeOutputs.ClosePullRequests != nil { + additionalFields := make(map[string]any) + if len(data.SafeOutputs.ClosePullRequests.RequiredLabels) > 0 { + additionalFields["required_labels"] = data.SafeOutputs.ClosePullRequests.RequiredLabels + } + if data.SafeOutputs.ClosePullRequests.RequiredTitlePrefix != "" { + additionalFields["required_title_prefix"] = data.SafeOutputs.ClosePullRequests.RequiredTitlePrefix + } + if data.SafeOutputs.ClosePullRequests.GitHubToken != "" { + additionalFields["github-token"] = data.SafeOutputs.ClosePullRequests.GitHubToken + } + if data.SafeOutputs.ClosePullRequests.Staged { + additionalFields["staged"] = true + } + safeOutputsConfig["close_pull_request"] = generateTargetConfigWithRepos( + data.SafeOutputs.ClosePullRequests.SafeOutputTargetConfig, + data.SafeOutputs.ClosePullRequests.Max, + 1, // default max + additionalFields, + ) + } if data.SafeOutputs.CreatePullRequests != nil { safeOutputsConfig["create_pull_request"] = generatePullRequestConfig( data.SafeOutputs.CreatePullRequests, diff --git a/pkg/workflow/safe_outputs_config_generation_test.go b/pkg/workflow/safe_outputs_config_generation_test.go index d571df42df..99098a901a 100644 --- a/pkg/workflow/safe_outputs_config_generation_test.go +++ b/pkg/workflow/safe_outputs_config_generation_test.go @@ -608,3 +608,78 @@ func TestGenerateSafeOutputsConfigReplyToPullRequestReviewCommentWithTarget(t *t assert.Equal(t, true, replyConfig["footer"], "footer should be true") } + +// TestGenerateSafeOutputsConfigClosePullRequest tests that generateSafeOutputsConfig correctly +// includes close_pull_request configuration in config.json. +func TestGenerateSafeOutputsConfigClosePullRequest(t *testing.T) { + maxVal := "3" + data := &WorkflowData{ + SafeOutputs: &SafeOutputsConfig{ + ClosePullRequests: &ClosePullRequestsConfig{ + BaseSafeOutputConfig: BaseSafeOutputConfig{ + Max: &maxVal, + GitHubToken: "${{ secrets.MY_TOKEN }}", + }, + SafeOutputTargetConfig: SafeOutputTargetConfig{ + Target: "*", + TargetRepoSlug: "org/repo", + AllowedRepos: []string{"org/other-repo"}, + }, + SafeOutputFilterConfig: SafeOutputFilterConfig{ + RequiredLabels: []string{"ready-to-close"}, + RequiredTitlePrefix: "[my-prefix]", + }, + }, + }, + } + + result := generateSafeOutputsConfig(data) + require.NotEmpty(t, result, "Expected non-empty config") + + var parsed map[string]any + require.NoError(t, json.Unmarshal([]byte(result), &parsed), "Result must be valid JSON") + + closePRConfig, ok := parsed["close_pull_request"].(map[string]any) + require.True(t, ok, "Expected close_pull_request key in config.json") + + assert.InDelta(t, float64(3), closePRConfig["max"], 0.0001, "max should be 3") + assert.Equal(t, "*", closePRConfig["target"], "target should be set") + assert.Equal(t, "org/repo", closePRConfig["target-repo"], "target-repo should be set") + assert.Equal(t, "${{ secrets.MY_TOKEN }}", closePRConfig["github-token"], "github-token should be set") + assert.Equal(t, "[my-prefix]", closePRConfig["required_title_prefix"], "required_title_prefix should be set") + + allowedRepos, ok := closePRConfig["allowed_repos"].([]any) + require.True(t, ok, "allowed_repos should be an array") + assert.Len(t, allowedRepos, 1, "Should have 1 allowed repo") + assert.Equal(t, "org/other-repo", allowedRepos[0], "allowed_repos entry should match") + + requiredLabels, ok := closePRConfig["required_labels"].([]any) + require.True(t, ok, "required_labels should be an array") + assert.Len(t, requiredLabels, 1, "Should have 1 required label") + assert.Equal(t, "ready-to-close", requiredLabels[0], "required_labels entry should match") +} + +// TestGenerateSafeOutputsConfigClosePullRequestStaged tests that staged is included in config.json. +func TestGenerateSafeOutputsConfigClosePullRequestStaged(t *testing.T) { + data := &WorkflowData{ + SafeOutputs: &SafeOutputsConfig{ + ClosePullRequests: &ClosePullRequestsConfig{ + BaseSafeOutputConfig: BaseSafeOutputConfig{ + Staged: true, + }, + }, + }, + } + + result := generateSafeOutputsConfig(data) + require.NotEmpty(t, result, "Expected non-empty config") + + var parsed map[string]any + require.NoError(t, json.Unmarshal([]byte(result), &parsed), "Result must be valid JSON") + + closePRConfig, ok := parsed["close_pull_request"].(map[string]any) + require.True(t, ok, "Expected close_pull_request key in config.json") + + assert.Equal(t, true, closePRConfig["staged"], "staged should be true") + assert.Nil(t, closePRConfig["github-token"], "github-token should not be set when empty") +} diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden index 0893a840cb..766e7a411f 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -278,7 +278,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -300,7 +300,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 4518a6142d..78fa22fd61 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -403,7 +403,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -451,7 +451,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden index bfacfdd185..12602d902c 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden @@ -281,7 +281,7 @@ jobs: const determineAutomaticLockdown = require(process.env.GH_AW_HOME + '/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${GH_AW_HOME}/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -303,7 +303,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash ${GH_AW_HOME}/actions/start_mcp_gateway.sh